Powered by Blogger.
Home » » OWASP Top 10 Web Hacking Final Lab 6 - SQL Injection, Burpsuite, cURL, Man-In-The-Middle Attack

OWASP Top 10 Web Hacking Final Lab 6 - SQL Injection, Burpsuite, cURL, Man-In-The-Middle Attack

Written By Akademy on Thursday, November 21, 2013 | 8:52 PM

{ SQL Injection, Burpsuite, cURL, Man-In-The-Middle Attack }

    OWASP Top 10 Web Hacking Final  Lab 6
  • What is Mutillidae?
    • OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.
  • What is a SQL Injection?
    • SQL injection (also known as SQL fishing) is a technique often used to attack data driven applications.
    • This is done by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker). SQL injection is a code injection technique that exploits a security vulnerability in an application's software.
    • The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
  • What is a Man-In-The-Middle attack?
    • The man-in-the-middle attack take on many forms.  The most common form is active network eavesdropping in which the attacker is able to gain authentication credentials (Username, Password, SESSIONID, Cookies Information, etc).
  • What is cURL?
    • cURL stands for "Client URL Request Library".
    • This is a command line tool for getting or sending files using URL syntax.
    • It supports a range of common Internet protocols, currently including HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, LDAP, LDAPS, DICT, TELNET, FILE, IMAP, POP3, SMTP and RTSP.
    • (Damn Beautiful Tool in my opinion)
  • What is Burp Suite?
    • Burp Suite is a Java application that can be used to secure or crack web applications. The suite consists of different tools, such as a proxy server, a web spider, an intruder and a so-called repeater, with which requests can be automated.
    • When Burp suite is used as a proxy server and a web browser uses this proxy server, it is possible to have control of all traffic that is exchanged between the web browser and web servers. Burp makes it possible to manipulate data before it is sent to the web server.
  • What is Cookie Manager+?
    • Cookies manager to view, edit and create new cookies. It also shows extra information about cookies, allows edit multiple cookies at once and backup/restore them.
 Start Web Browser Session to Mutillidae
  1. On BackTrack, Open Firefox
    • Instructions:
      1. Click on the Firefox Icon
    • Notes (FYI):
      • If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser
  2. Open Mutillidae
    • Notes (FYI):
      • Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
    • Instructions:
      1. http://192.168.1.111/mutillidae

Section 8. Go To Login Page
  1. Go to Login
    • Instructions:
      1. Click on Login / Register

Section 9. Configure Firefox Proxy Settings
  1. View Preferences
    • Instructions:
      1. Edit --> Preferences
  2. Advanced Settings...
    • Instructions:
      1. Click on the Advanced Icon
      2. Click on the Network Tab
      3. Click on the Setting... button
     
  3. Connection Settings
    • Instructions:
      1. Click on Manual proxy configurations
      2. Type "127.0.0.1" in the HTTP Proxy Text Box
      3. Type "8080" in the Port Text Box
      4. Check Use the proxy server for all protocols
      5. Click OK
      6. Click Close

Section 10. Configure Burpsuite Settings
  1. Start Burp Suite
    • Instructions:
      1. Applications --> BackTrack --> Vulnerability Assessment --> Web Application Assessment ---> Web Application Proxies --> burpsuite
  2. JRE Message
    • Instructions:
      1. Click OK
  3. Configure proxy
    • Instructions:
      1. Click on the proxy tab
      2. Click on the options tab
      3. Verify the port is set to 8080
  4. Turn on intercept
    • Instructions:
      1. Click on the proxy tab
      2. Click on the intercept tab
      3. Verify the intercept button shows "intercept is off"

Section 11. SQL Injection: By-Pass Password Without Username (Obtain Access #1)
  1. Login Without Password
    • Instructions:
      1. Place the following in the Name Textbox --> ' or 1=1--
        • Make sure you put a space after the "-- "
      2. Click the Login Button
    • Note(FYI):
      • The string ' or 1=1--  placed in the below query means the following:
        • Search for username that is either equal to nothing OR where 1 is equal to 1.  So, we created a condition that is always true (OR 1=1).  The "-- " string is a comment in SQL.  We used this trick to comment out the rest of the SQL query (AND password=''), which eliminates that password authentication.
      • SELECT * FROM accounts WHERE username='' or 1=1-- ' AND password=''
  2. View Post Data (With Burp Suite)
    • Instructions:
      1. Click on the Proxy Tab
      2. Click on the History Tab
      3. Click on the line that contains --> /mutillidae/index.php?page=login.php
      4. Click on the Request Tab
      5. Click on the Raw Tab
      6. View the Post Data String
        • Later we will populate curl with this POST data string.
    • Note(FYI):
      • username=%27+or+1%3D1--+&password=&login-php-submit-button=Login
        1. %27 is a single quote (')
        2. + is a space
        3. %3D is a equal sign (=)
Section 12. Simulate CURL SQL Injection: (Obtain Access #1)
  1. Logout of Session
    • Instructions:
      1. Click Logout (See Picture)
  2. Use Curl to Login with POST Data
    • Note(FYI):
      • Replace 192.168.1.111 with Mutillidae's IP Address obtained from (Section 3, Step 3).
    • Instructions:
      1. curl -b crack_cookies.txt -c crack_cookies.txt --user-agent "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" --data "username=%27+or+1%3D1--+&password=&login-php-submit-button=Login" --location "http://192.168.1.111/mutillidae/index.php?page=login.php" > login1.txt
      2. grep "Logged In" login1.txt
      3. cat crack_cookies.txt
    • Note(FYI):
      1. This curl statement provides the blueprint to automate SQL Injection attempts. Below is the form POST Data we obtained from Burpsuite (Section 11, Step 2).
        • --data "username=%27+or+1%3D1--+&password=&login-php-submit-button=Login"
      2. Notice that grep returns the positive result string "Logged In Admin".
      3. The crack_cookies.txt file contains the session cookies including the PHP session ID (PHPSESSID) and the UID of the user admin. 

Section 13. SQL Injection: Single Quote Test On Password Field (Obtain Access #2)
  1. Inspect Password Box Element
    • Instructions:
      1. Click Login/Register
      2. Name: samurai
      3. Password: Right Click
      4. Click the Inspect Element
  2. Edit Password Box Element
    • Instructions:
      1. Replace the string "password" with the word "text"
      2. After size=, replace the string "20" with "50"
      3. After maxlength=, replace the string "20" with "50"
      4. Minimize Firebug
  3. Apply Always True Test to Password Textbox
    • Instructions:
      1. Name: samurai
      2. Password: ' or (1=1 and username='samurai')--
        • Remember to put a space after the "-- ".
      3. Click the Login Button
    • Note(FYI):
      • Notice the Password textbox is no longer obfuscated and is now in plaintext
  4. View Post Data (With Burp Suite)
    • Instructions:
      1. Click on the Proxy Tab
      2. Click on the History Tab
      3. Click on the line that contains --> /mutillidae/index.php?page=login.php
      4. Click on the Request Tab
      5. Click on the Raw Tab
      6. Highlight all the text and right click
      7. Click "Copy to File"
        • Later we will populate curl with this POST data string.
    • Note(FYI):
      • username=samurai&password=%27+or+%281%3D1+and+username%3D%27samurai%27%29--+&login-php-submit-button=Login
        1. %27 is a single quote (')
        2. + is a space
        3. %28 is a left parenthesis
        4. %29 is a right parenthesis
        5. %3D is a equal sign (=)
  5. Save File
    • Instructions:
      1. Save In: root
      2. File Name: burp2.txt
      3. Click the Save Button
  6. View Post Data (With Burpsuite)
    • Instructions:
      1. cd /root
      2. grep -i cookie burp2.txt
      3. grep -i username burp2.txt
        • This is the form POST Data String.
  7. Logout of Session
    • Instructions:
      1. Click Logout (See Picture)
      2. Close Firefox

Section 14. Simulate cURL SQL Injection: (Obtain Access #2)
  1. Use Curl to Login with POST Data
    • Note(FYI):
      • Replace 192.168.1.111 with Mutillidae's IP Address obtained from (Section 3, Step 3).
    • Instructions:
      1. rm crack_cookies.txt
      2. grep -i username burp2.txt
        • This form POST Data string will be used in the following command.
      3. curl -b crack_cookies.txt -c crack_cookies.txt --user-agent "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" --data "username=samurai&password=%27+or+%281%3D1+and+username%3D%27samurai%27%29--+&login-php-submit-button=Login" --location "http://192.168.1.111/mutillidae/index.php?page=login.php" > login2.txt
      4. grep "Logged In" login2.txt
      5. cat crack_cookies.txt
    • Note(FYI):
      1. This command provide the POST DATA String.  Take this string and place it in the next curl command.
      2. This curl statement provides the blueprint to automate SQL Injection attempts.
      3. Notice that grep returns the positive result string "Logged In".
      4. The crack_cookies.txt file contains the session cookies including the PHP session ID (PHPSESSID) and the UID of the user admin. 

Section 15. Restore Firefox Original Proxy Configurations
  1. On BackTrack, Open Firefox
    • Instructions:
      1. Click on the Firefox Icon
    • Notes (FYI):
      • If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser
  2. Firefox Preferences
    • Instructions:
      1. Edit --> Preferences
  3. Advanced Settings...
    • Instructions:
      1. Click on the Advanced Icon
      2. Click on the Network Tab
      3. Click on the Setting... button
  4. Connection Settings
    • Instructions:
      1. Click on the No proxy radio button
      2. Click on the OK button
      3. Click on the Close button
Section 16. Simulate Man-In-The-Middle Attack
  1. Start Cookies Manager+
    • Instructions:
      1. Tools --> Cookies Manager+
    • Notes (FYI):
      • Click here to install Cookie Manager+ you have not already done so.
  2. Add Cookie Entry
    • Instructions:
      1. Click the Add Button
  3. Add PHPSESSID Cookie Entry
    • Note(FYI):
      1. Replace nbag2jctr1p9vatb2g62pch8e2 with your PHPSESSID found in crack_cookies.txt (See Below Picture).
      2. Replace 192.168.1.111 with Mutillidae's IP Address Host IP Address obtained from (Section 3, Step 3).
    • Instructions:
      1. Name: PHPSESSID
      2. Content: nbag2jctr1p9vatb2g62pch8e2
      3. Host: 192.168.1.111
      4. Path: /
      5. Click the Save Button.
  4. Add Cookie Entry
    • Instructions:
      1. Click the Add Button
  5. Add showhints Cookie Entry
    • Note(FYI):
      1. Replace 192.168.1.111 with Mutillidae's IP Address Host IP Address obtained from (Section 3, Step 3).
    • Instructions:
      1. Name: showhints
      2. Content: 0
      3. Host: 192.168.1.111
      4. Path: /mutillidae/
      5. Click the Save Button
  6. Add Cookie Entry
    • Instructions:
      1. Click the Add Button
  7. Add username Cookie Entry
    • Note(FYI):
      1. Replace 192.168.1.111 with Mutillidae's IP Address Host IP Address obtained from (Section 3, Step 3).
    • Instructions:
      1. Name: username
      2. Content: samurai
      3. Host: 192.168.1.111
      4. Path: /mutillidae/
      5. Click the Save Button
  8. Add Cookie Entry
    • Instructions:
      1. Click the Add Button
  9. Add uid Cookie Entry
    • Note(FYI):
      1. Replace 192.168.1.111 with Mutillidae's IP Address Host IP Address obtained from (Section 3, Step 3).
    • Instructions:
      1. Name: uid
      2. Content: 6
      3. Host: 192.168.1.111
      4. Path: /mutillidae/
      5. Click the Save Button
      6. Click the Close Button
  10. Add uid Cookie Entry
    • Note(FYI):
      1. Replace 192.168.1.111 with Mutillidae's IP Address Host IP Address obtained from (Section 3, Step 3).
      2. Notice you will be automagically logged in without a password.  For this reason, it is extremely important that session information is (1) not only encrypted, (2) but also users logout after they finish their session.
    • Instructions:
      1. http://192.168.1.111/mutillidae/index.php

Section 17. Proof of Lab
  1. Proof of Lab : Các bạn hãy quay lại toàn bộ quá trình thực hiện
Share this article :

0 comments:

 
Trung Tâm Đào Tạo An Toàn Thông Tin Học Hacker Mũ Xám Online | Học An Ninh Mạng Trực Tuyến | CEH VIỆT NAM
Copyright © 2013. HACKER MŨ XÁM - All Rights Reserved
Web Master @ Võ Sĩ Máy Tính
Contact @ Đông Dương ICT