Powered by Blogger.
Home » » OWASP Top 10 Web Hacking Final Lab 5 - Manual SQL Injection with Firebug

OWASP Top 10 Web Hacking Final Lab 5 - Manual SQL Injection with Firebug

Written By Akademy on Thursday, November 21, 2013 | 8:47 PM



    OWASP Top 10 Web Hacking Final Lab 5 - Manual SQL Injection with Firebug
  • What is Mutillidae?
    • OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.
  • What is a SQL Injection?
    • SQL injection (also known as SQL fishing) is a technique often used to attack data driven applications.
    • This is done by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker). SQL injection is a code injection technique that exploits a security vulnerability in an application's software.
    • The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

Start Web Browser Session to Mutillidae
  1. On BackTrack, Open Firefox
    • Instructions:
      1. Click on the Firefox Icon
    • Notes (FYI):
      • If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser
  2. Open Mutillidae
    • Notes (FYI):
      • Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
    • Instructions:
      1. http://192.168.1.111/mutillidae

Section 8. SQL Injection: Single Quote Test On Username Field
  1. Go to Login
    • Instructions:
      1. Click on Login / Register
  2. Single Quote (') Test
    • Instructions:
      1. Place a single quote (') in the Name Text Box (See Picture)
      2. Click the Login Button
    • Note(FYI):
      • After you click the Login button you will receive some errors.
      • Continue to next step.
  3. Analyze Single Quote (') Results
    • Note(FYI):
      1. A single quote (') is a reserved SQL character that breaks the below query by placing it in the Name textbox.  The mere fact that the query produces an error means their is a strong possibility that the backend program is susceptible to a SQL Injection.
        • SELECT * FROM accounts WHERE username=''' AND password=''
      2. Below is an example of a normal query
        • SELECT * FROM accounts WHERE username='admin' AND password='adminpass'

Section 9. SQL Injection: By-Pass Password Without Username (Obtain Access #1)
  1. Login Without Password
    • Instructions:
      1. Place the following in the Name Textbox --> ' or 1=1--
        • Make sure you put a space after the "-- "
      2. Click the Login Button
    • Note(FYI):
      • The string ' or 1=1--  placed in the below query means the following:
        • Search for username that is either equal to nothing OR where 1 is equal to 1.  So, we created a condition that is always true (OR 1=1).  The "-- " string is a comment in SQL.  We used this trick to comment out the rest of the SQL query (AND password=''), which eliminates that password authentication.
      • SELECT * FROM accounts WHERE username='' or 1=1-- ' AND password=''
  2. Verifying Results (Got Admin?)
    • Note(FYI):
      1. Notice you are logged in as admin.  Due to Mutillidae's code design, we are logged in as admin, because admin is the first user in accounts table.
      2. In DVWA, as similar string (%' or '0'='0'-- ) displays the entire list of application users due to its' code design.
  3. Logout of Session
    • Instructions:
      1. Click Logout (See Picture)
Section 9. SQL Injection: Single Quote Test On Password Field
  1. Inspect Password Box Element
    • Instructions:
      1. Click Login/Register
      2. Name: samurai
      3. Password: Right Click
      4. Click the Inspect Element
  2. Edit Password Box Element
    • Instructions:
      1. Replace the string "password" with the word "text"
      2. Minimize Firebug
  3. Single Quote (') Test
    • Instructions:
      1. Name: samurai
      2. Place a single quote (') in the Password Text Box (See Picture)
      3. Click the Login Button
    • Note(FYI):
      • Notice the Password textbox is no longer obfuscated and is now in plaintext.
      • After you click the Login button you will receive some errors.
  4. Analyze Single Quote (') Results
    • Note(FYI):
      1. A single quote (') is a reserved SQL character that breaks the below query by placing it in the Password textbox.  The mere fact that the query produces an error means their is a strong possibility that the backend program is susceptible to a SQL Injection.  
        • SELECT * FROM accounts WHERE username='samurai' and password='''
      2. Below is an example of a normal query
        • SELECT * FROM accounts WHERE username='samurai' AND password='samurai'

Section 10. SQL Injection: Single Quote Test On Password Field (Obtain Access #2)
  1. Inspect Password Box Element
    • Instructions:
      1. Click Login/Register
      2. Name: samurai
      3. Password: Right Click
      4. Click the Inspect Element
  2. Edit Password Box Element
    • Instructions:
      1. Replace the string "password" with the word "text"
      2. Minimize Firebug
  3. Apply Always True Test to Password Textbox
    • Instructions:
      1. Name: samurai
      2. Password: ' or 1=1--
        • Remember to put a space after the "-- ".
      3. Click the Login Button
    • Note(FYI):
      • Notice the Password textbox is no longer obfuscated and is now in plaintext.
  4. Verifying Results
    • Note(FYI):
      1. Well, this is a head scratcher.  On one hand I am glad I am logged in, but I am should be logged in as samurai instead of admin.
      2. Due to Mutillidae's code design, we are logged in as admin, because admin is the first user in accounts table
  5. Logout of Session
    • Instructions:
      1. Click Logout (See Picture)

Section 11. SQL Injection: Single Quote Test On Password Field (Obtain Access #3)
  1. Inspect Password Box Element
    • Instructions:
      1. Click Login/Register
      2. Name: samurai
      3. Password: Right Click
      4. Click the Inspect Element
  2. Edit Password Box Element
    • Instructions:
      1. Replace the string "password" with the word "text"
      2. After size=, replace the string "20" with "50"
      3. After maxlength=, replace the string "20" with "50"
      4. Minimize Firebug
  3. Apply Always True Test to Password Textbox
    • Instructions:
      1. Name: samurai
      2. Password: ' or (1=1 and username='samurai')--
        • Remember to put a space after the "-- ".
      3. Click the Login Button
    • Note(FYI):
      • Notice the Password textbox is no longer obfuscated and is now in plaintext
  4. Verifying Results (Got Samurai?)
    • Note(FYI):
      1. Notice you are logged in as Samurai thanks to some SQL adjustments.
      2. Good Stuff Man ---> ' or (1=1 and username='samurai')--

Section 12. Database Practice
  1. On Fedora, Start a Terminal Console
    • Instructions:
      1. Applications --> Terminal
  2. Switch user to root
    • Instructions:
      1. su - root
      2. <Whatever you set the root password to>
  3. Log in to mysql
    • Instructions:
      1. mysql -uroot -psamurai
      2. show databases;
      3. use nowasp;
    • Note(FYI):
      • show databases, provides you a database list.
      • use nowasp, lets the user select a particular database.
  4. Examine the accounts table
    • Instructions:
      1. show tables;
      2. desc accounts;
    • Notes (FYI):
      • show tables, allows you to see all the tables in the nowasp database.
      • desc accounts, allows you to see all the columns in the accounts table.
  5. View accounts table contents
    • Instructions:
      1. select * from accounts;
    • Notes (FYI):
      • The above command lets you see all the records in the accounts table.
  6. Display Result Examples
    • Instructions:
      1. select * from accounts where username = ''  and password = '';
        • Note, all quotes are single quotes (');
      2. select * from accounts where username = 'samurai'  and password = 'samurai';
        • Note, all quotes are single quotes (');
      3. select * from accounts where username = 'samurai'  and password = 'wrongpassword';
      4. select * from accounts where username = 'samurai';-- and password = 'wrongpassword';
    • Notes (FYI):
      1. The first query is the actual stored procedure that Mutillidae uses to verify username/password credentials.
      2. The second query is an example of a successful authentication of credentials. (Eg., username = 'samurai' and password = 'samurai')
      3. The third query is an example of an unsuccessful authentication of credentials.  (Eg., username = 'samurai' and password = 'wrongpassword')
      4. The forth query is an example of how to comment out the "and password" clause of the Mutillidae stored procedure to authenticate credentials.
  7. Display Single Quote(') Test Results
    • Instructions:
      1. select * from accounts where username = '''  and password = '';
        • Note, all quotes are single quotes (');
      2. ';
      3. select * from accounts where username = '' or 1=1; --   and password = '';
        • Note, all quotes are single quotes (');
    • Notes (FYI):
      1. The first query is an example of (Section 8, Step 1).
      2. Notice that the mysql shell continues to the next line, meaning the statement is broken, which produced the errors seen in (Section 8, Step 2).  To get back to the mysql shell, we have to complete the statement with a ( '; ).
      3. The second query is an example (Section 9, Step 1).  The ' or 1=1 produces an always true condition, and the ; --  comments/disables the "and password clause.
  8. Display Single Quote(') Test Results
    • Instructions:
      1. select * from accounts where username = 'samurai' and password = '' or 1=1; -- ';
        • Note, all quotes are single quotes (');
      2. select * from accounts where username = 'samurai' and password = '' or (1=1 and username = 'samurai'); -- ';
        • Note, all quotes are single quotes (');
    • Notes (FYI):
      1. The first query is an example of (Section 10, Step 3).  Do to the code design of Mutillidae only one result is displayed in the application.  However, running this query directly in mysql will yield all records.
      2. The second query is an example (Section 11, Step 3).  The ' or (1=1 and username = 'samurai'); --  produces an always true condition, and the ; --  comments/disables the "and password clause

Section 13. Proof of Lab
  1. Proof of Lab - Các bạn hãy quay lại toàn bộ quá trình thực hành
Share this article :

0 comments:

 
Trung Tâm Đào Tạo An Toàn Thông Tin Học Hacker Mũ Xám Online | Học An Ninh Mạng Trực Tuyến | CEH VIỆT NAM
Copyright © 2013. HACKER MŨ XÁM - All Rights Reserved
Web Master @ Võ Sĩ Máy Tính
Contact @ Đông Dương ICT