ComputerSecurityStudent (CSS) [Login] [Join Now]




|SECURITY TOOLS >> Mutillidae Project >> Mutillidae 2.5.11 >> Current Page |Views: 12254

(Mutillidae: Lesson 5)

{ Manual SQL Injection with Firebug }


Section 0. Background Information
  • What is Mutillidae?
    • OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.

  • What is a SQL Injection?
    • SQL injection (also known as SQL fishing) is a technique often used to attack data driven applications.
    • This is done by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker). SQL injection is a code injection technique that exploits a security vulnerability in an application's software.
    • The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

  • Pre-Requisite Lab
    1. Mutillidae: Lesson 1: How to Install Mutillidae in Fedora 14
      • Note: Remote database access has been turned on to provide an additional vulnerability.
    2. BackTrack: Lesson 1: Installing BackTrack 5 R1
      • Note: This is not absolutely necessary, but if you are a computer security student or professional, you should have a BackTrack VM.
    3. BackTrack: Lesson 9: How To Install Firebug

  • Lab Notes
    • In this lab we will do the following:
      1. Test the Login.php script for SQL Injection Vulnerabilities.
      2. Show several methods on how to omit the password clause.
      3. Give a brief database tutorial to example the actual SQL Injection methods.
  • Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2013 No content replication of any kind is allowed without express written permission.

     

Section 1: Configure Fedora14 Virtual Machine Settings
  1. Start VMware Player
    • Instructions
      1. For Windows 7
        1. Click Start Button
        2. Search for "vmware player"
        3. Click VMware Player
      2. For Windows XP
        • Starts --> Programs --> VMware Player

     

  2. Edit Fedora Mutillidae Virtual Machine Settings
    • Instructions:
      1. Highlight Fedora14 - Mutillidae
      2. Click Edit virtual machine settings

     

  3. Edit Network Adapter
    • Instructions:
      1. Highlight Network Adapter
      2. Select Bridged
      3. Click the OK Button

 

Section 2: Login to Fedora14 - Mutillidae
  1. Start Fedora14 VM Instance
    • Instructions:
      1. Start Up VMWare Player
      2. Select Fedora14 - Mutillidae
      3. Play virtual machine

     

  2. Login to Fedora14 - Mutillidae
    • Instructions:
      1. Login: student
      2. Password: <whatever you set it to>.

 

Section 3: Open Console Terminal and Retrieve IP Address
  1. Start a Terminal Console
    • Instructions:
      1. Applications --> Terminal

     

  2. Switch user to root
    • Instructions:
      1. su - root
      2. <Whatever you set the root password to>

     

  3. Get IP Address
    • Instructions:
      1. ifconfig -a
    • Notes (FYI):
      • As indicated below, my IP address is 192.168.1.111.
      • Please record your IP address.

 

Section 4: Configure BackTrack Virtual Machine Settings
  1. Start VMware Player
    • Instructions
      1. For Windows 7
        1. Click Start Button
        2. Search for "vmware player"
        3. Click VMware Player
      2. For Windows XP
        • Starts --> Programs --> VMware Player

     

  2. Edit the BackTrack5R1 VM
    • Instructions:
      1. Select BackTrack5R1 VM
      2. Click Edit virtual machine settings

     

  3. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Network Adapter
      2. Click on the Bridged Radio button
      3. Click on the OK Button

 

Section 5: Play and Login to BackTrack
  1. Play the BackTrack5R1 VM
    • Instructions:
      1. Click on the BackTrack5R1 VM
      2. Click on Play virtual machine

     

  2. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.

     

  3. Bring up the GNOME
    • Instructions:
      1. Type startx

 

Section 6: Open Console Terminal and Retrieve IP Address
  1. On BackTrack, Start up a terminal window
    • Instructions:
      1. Click on the Terminal Window

     

  2. Obtain the IP Address
    • Instructions:
      1. ifconfig -a
    • Note(FYI):
      • My IP address 192.168.1.109.
      • In your case, it will probably be different.
      • This is the machine that will be use to attack the victim machine (Metasploitable).

 

Section 7: Start Web Browser Session to Mutillidae
  1. On BackTrack, Open Firefox
    • Instructions:
      1. Click on the Firefox Icon
    • Notes (FYI):
      • If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser

     

  2. Open Mutillidae
    • Notes (FYI):
      • Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
    • Instructions:
      1. http://192.168.1.111/mutillidae

 

Section 8: SQL Injection: Single Quote Test On Username Field
  1. Go to Login
    • Instructions:
      1. Click on Login / Register

     

  2. Single Quote (') Test
    • Instructions:
      1. Place a single quote (') in the Name Text Box (See Picture)
      2. Click the Login Button
    • Note(FYI):
      • After you click the Login button you will receive some errors.
      • Continue to next step.

     

  3. Analyze Single Quote (') Results
    • Note(FYI):
      1. A single quote (') is a reserved SQL character that breaks the below query by placing it in the Name textbox.  The mere fact that the query produces an error means their is a strong possibility that the backend program is susceptible to a SQL Injection.
        • SELECT * FROM accounts WHERE username=''' AND password=''
      2. Below is an example of a normal query
        • SELECT * FROM accounts WHERE username='admin' AND password='adminpass'

 

Section 9: SQL Injection: By-Pass Password Without Username (Obtain Access #1)
  1. Login Without Password
    • Instructions:
      1. Place the following in the Name Textbox --> ' or 1=1--
        • Make sure you put a space after the "-- "
      2. Click the Login Button
    • Note(FYI):
      • The string ' or 1=1--  placed in the below query means the following:
        • Search for username that is either equal to nothing OR where 1 is equal to 1.  So, we created a condition that is always true (OR 1=1).  The "-- " string is a comment in SQL.  We used this trick to comment out the rest of the SQL query (AND password=''), which eliminates that password authentication.
      • SELECT * FROM accounts WHERE username='' or 1=1-- ' AND password=''

     

  2. Verifying Results (Got Admin?)
    • Note(FYI):
      1. Notice you are logged in as admin.  Due to Mutillidae's code design, we are logged in as admin, because admin is the first user in accounts table.
      2. In DVWA, as similar string (%' or '0'='0'-- ) displays the entire list of application users due to its' code design.

     

  3. Logout of Session
    • Instructions:
      1. Click Logout (See Picture)

     

Section 9: SQL Injection: Single Quote Test On Password Field
  1. Inspect Password Box Element
    • Instructions:
      1. Click Login/Register
      2. Name: samurai
      3. Password: Right Click
      4. Click the Inspect Element

     

  2. Edit Password Box Element
    • Instructions:
      1. Replace the string "password" with the word "text"
      2. Minimize Firebug

     

  3. Single Quote (') Test
    • Instructions:
      1. Name: samurai
      2. Place a single quote (') in the Password Text Box (See Picture)
      3. Click the Login Button
    • Note(FYI):
      • Notice the Password textbox is no longer obfuscated and is now in plaintext.
      • After you click the Login button you will receive some errors.

     

  4. Analyze Single Quote (') Results
    • Note(FYI):
      1. A single quote (') is a reserved SQL character that breaks the below query by placing it in the Password textbox.  The mere fact that the query produces an error means their is a strong possibility that the backend program is susceptible to a SQL Injection.  
        • SELECT * FROM accounts WHERE username='samurai' and password='''
      2. Below is an example of a normal query
        • SELECT * FROM accounts WHERE username='samurai' AND password='samurai'

 

Section 10: SQL Injection: Single Quote Test On Password Field (Obtain Access #2)
  1. Inspect Password Box Element
    • Instructions:
      1. Click Login/Register
      2. Name: samurai
      3. Password: Right Click
      4. Click the Inspect Element

     

  2. Edit Password Box Element
    • Instructions:
      1. Replace the string "password" with the word "text"
      2. Minimize Firebug

     

  3. Apply Always True Test to Password Textbox
    • Instructions:
      1. Name: samurai
      2. Password: ' or 1=1--
        • Remember to put a space after the "-- ".
      3. Click the Login Button
    • Note(FYI):
      • Notice the Password textbox is no longer obfuscated and is now in plaintext.

     

  4. Verifying Results
    • Note(FYI):
      1. Well, this is a head scratcher.  On one hand I am glad I am logged in, but I am should be logged in as samurai instead of admin.
      2. Due to Mutillidae's code design, we are logged in as admin, because admin is the first user in accounts table

     

  5. Logout of Session
    • Instructions:
      1. Click Logout (See Picture)

 

Section 11: SQL Injection: Single Quote Test On Password Field (Obtain Access #3)
  1. Inspect Password Box Element
    • Instructions:
      1. Click Login/Register
      2. Name: samurai
      3. Password: Right Click
      4. Click the Inspect Element

     

  2. Edit Password Box Element
    • Instructions:
      1. Replace the string "password" with the word "text"
      2. After size=, replace the string "20" with "50"
      3. After maxlength=, replace the string "20" with "50"
      4. Minimize Firebug

     

  3. Apply Always True Test to Password Textbox
    • Instructions:
      1. Name: samurai
      2. Password: ' or (1=1 and username='samurai')--
        • Remember to put a space after the "-- ".
      3. Click the Login Button
    • Note(FYI):
      • Notice the Password textbox is no longer obfuscated and is now in plaintext

     

  4. Verifying Results (Got Samurai?)
    • Note(FYI):
      1. Notice you are logged in as Samurai thanks to some SQL adjustments.
      2. Good Stuff Man ---> ' or (1=1 and username='samurai')--

 

Section 12: Database Practice
  1. On Fedora, Start a Terminal Console
    • Instructions:
      1. Applications --> Terminal

     

  2. Switch user to root
    • Instructions:
      1. su - root
      2. <Whatever you set the root password to>

     

  3. Log in to mysql
    • Instructions:
      1. mysql -uroot -psamurai
      2. show databases;
      3. use nowasp;
    • Note(FYI):
      • show databases, provides you a database list.
      • use nowasp, lets the user select a particular database.

     

  4. Examine the accounts table
    • Instructions:
      1. show tables;
      2. desc accounts;
    • Notes (FYI):
      • show tables, allows you to see all the tables in the nowasp database.
      • desc accounts, allows you to see all the columns in the accounts table.

     

  5. View accounts table contents
    • Instructions:
      1. select * from accounts;
    • Notes (FYI):
      • The above command lets you see all the records in the accounts table.

     

  6. Display Result Examples
    • Instructions:
      1. select * from accounts where username = ''  and password = '';
        • Note, all quotes are single quotes (');
      2. select * from accounts where username = 'samurai'  and password = 'samurai';
        • Note, all quotes are single quotes (');
      3. select * from accounts where username = 'samurai'  and password = 'wrongpassword';
      4. select * from accounts where username = 'samurai';-- and password = 'wrongpassword';
    • Notes (FYI):
      1. The first query is the actual stored procedure that Mutillidae uses to verify username/password credentials.
      2. The second query is an example of a successful authentication of credentials. (Eg., username = 'samurai' and password = 'samurai')
      3. The third query is an example of an unsuccessful authentication of credentials.  (Eg., username = 'samurai' and password = 'wrongpassword')
      4. The forth query is an example of how to comment out the "and password" clause of the Mutillidae stored procedure to authenticate credentials.

     

  7. Display Single Quote(') Test Results
    • Instructions:
      1. select * from accounts where username = '''  and password = '';
        • Note, all quotes are single quotes (');
      2. ';
      3. select * from accounts where username = '' or 1=1; --   and password = '';
        • Note, all quotes are single quotes (');
    • Notes (FYI):
      1. The first query is an example of (Section 8, Step 1).
      2. Notice that the mysql shell continues to the next line, meaning the statement is broken, which produced the errors seen in (Section 8, Step 2).  To get back to the mysql shell, we have to complete the statement with a ( '; ).
      3. The second query is an example (Section 9, Step 1).  The ' or 1=1 produces an always true condition, and the ; --  comments/disables the "and password clause.

     

  8. Display Single Quote(') Test Results
    • Instructions:
      1. select * from accounts where username = 'samurai' and password = '' or 1=1; -- ';
        • Note, all quotes are single quotes (');
      2. select * from accounts where username = 'samurai' and password = '' or (1=1 and username = 'samurai'); -- ';
        • Note, all quotes are single quotes (');
    • Notes (FYI):
      1. The first query is an example of (Section 10, Step 3).  Do to the code design of Mutillidae only one result is displayed in the application.  However, running this query directly in mysql will yield all records.
      2. The second query is an example (Section 11, Step 3).  The ' or (1=1 and username = 'samurai'); --  produces an always true condition, and the ; --  comments/disables the "and password clause

 

Section 13: Proof of Lab
  1. Proof of Lab, (On a Fedora Terminal)
    • Instructions:
      1. mysql -uroot -psamurai
      2. use nowasp;
      3. select * from accounts where username = 'samurai' and password = '' or (1=1 and username = 'samurai'); -- ';
        • Note, all quotes are single quotes (');
      4. \! date
      5. \! echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
    • Proof of Lab Instructions
      1. Press both the <Ctrl> and <Alt> keys at the same time.
      2. Do a <PrtScn>
      3. Paste into a word document
      4. Upload to Moodle


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth