Mutillidae - Lesson 5 - Manual SQL Injection With Firebug PDF

12/4/2016 Mutillidae: Lesson 5: Manual SQL Injection with Firebug
ComputerSecurityStudent (CSS) [Login] [Join Now]
HOME UNIX WINDOWS SECURITY TOOLS FORENSICS SHOPPING GET STARTED CONTACT US
|SECURITY TOOLS >> Mutillidae Project >> Mutillidae 2.5.11 >> Current Page |Views:
6713

(Mutillidae: Lesson 5)

{ Manual SQL Injection with Firebug } Help
ComputerSecurityStudent
pay for continued
research,
Section 0. Background Information resources & bandwidth

What is Mutillidae?
OWASP Mutillidae II is a free, open source, deliberately vulnerable
webapplication providing a target for websecurity enthusiast.
What is a SQL Injection?
SQL injection (also known as SQL fishing) is a technique often used to
attack data driven applications.
This is done by including portions of SQL statements in an entry field
in an attempt to get the website to pass a newly formed rogue SQL
command to the database (e.g., dump the database contents to the
attacker). SQL injection is a code injection technique that exploits a
security vulnerability in an application's software.
The vulnerability happens when user input is either incorrectly
filtered for string literal escape characters embedded in SQL
statements or user input is not strongly typed and unexpectedly
executed. SQL injection is mostly known as an attack vector for
websites but can be used to attack any type of SQL database.
PreRequisite Lab
1. Mutillidae: Lesson 1: How to Install Mutillidae in Fedora 14
Note: Remote database access has been turned on to provide an
additional vulnerability.
2. BackTrack: Lesson 1: Installing BackTrack 5 R1
Note: This is not absolutely necessary, but if you are a computer
security student or professional, you should have a BackTrack VM.
3. BackTrack: Lesson 9: How To Install Firebug
Lab Notes
In this lab we will do the following:
1. Test the Login.php script for SQL Injection Vulnerabilities.
2. Show several methods on how to omit the password clause.
3. Give a brief database tutorial to example the actual SQL Injection
methods.
Legal Disclaimer
As a condition of your use of this Web site, you warrant to
computersecuritystudent.com that you will not use this Web site for
any purpose that is unlawful or that is prohibited by these terms,
conditions, and notices.
In accordance with UCC § 2316, this product is provided with "no
warranties, either express or implied." The information contained is
provided "asis", with "no guarantee of merchantability."
In addition, this is a teaching website that does not condone
malicious behavior of any kind.
You are on notice, that continuing and/or using this lab outside your
"own" test environment is considered malicious and is against the law.
© 2013 No content replication of any kind is allowed without express
written permission.
https://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson5/index.html 1/31

Section 1: Configure Fedora14 Virtual Machine Settings
1. Start VMware Player
Instructions
1. For Windows 7
1. Click Start Button
2. Search for "vmware player"
3. Click VMware Player
2. For Windows XP
Starts > Programs > VMware Player
2. Edit Fedora Mutillidae Virtual Machine Settings
Instructions:
1. Highlight Fedora14 Mutillidae
2. Click Edit virtual machine settings
3. Edit Network Adapter
Instructions:
1. Highlight Network Adapter
2. Select Bridged
3. Click the OK Button
Section 2: Login to Fedora14 Mutillidae
1. Start Fedora14 VM Instance
Instructions:
1. Start Up VMWare Player
2. Select Fedora14 Mutillidae
3. Play virtual machine
2. Login to Fedora14 Mutillidae
Instructions:
1. Login: student
2. Password: <whatever you set it to>.
Section 3: Open Console Terminal and Retrieve IP Address
1. Start a Terminal Console
Instructions:
1. Applications > Terminal
2. Switch user to root
Instructions:
1. su root
2. <Whatever you set the root password to>
3. Get IP Address
Instructions:
1. ifconfig a
Notes (FYI):
As indicated below, my IP address is 192.168.1.111.
Please record your IP address.
Section 4: Configure BackTrack Virtual Machine Settings
1. Start VMware Player
Instructions
1. For Windows 7
1. Click Start Button
2. Search for "vmware player"
3. Click VMware Player
2. For Windows XP
Starts > Programs > VMware Player
2. Edit the BackTrack5R1 VM
Instructions:
1. Select BackTrack5R1 VM
2. Click Edit virtual machine settings
3. Edit Virtual Machine Settings
Instructions:
1. Click on Network Adapter
2. Click on the Bridged Radio button
3. Click on the OK Button
Section 5: Play and Login to BackTrack
1. Play the BackTrack5R1 VM
Instructions:
1. Click on the BackTrack5R1 VM
2. Click on Play virtual machine

2. Login to BackTrack
Instructions:
1. Login: root
2. Password: toor or <whatever you changed it to>.
3. Bring up the GNOME
Instructions:
1. Type startx
Section 6: Open Console Terminal and Retrieve IP Address
1. On BackTrack, Start up a terminal window
Instructions:
1. Click on the Terminal Window

2. Obtain the IP Address
Instructions:
1. ifconfig a
Note(FYI):
My IP address 192.168.1.109.
In your case, it will probably be different.
This is the machine that will be use to attack the victim machine
(Metasploitable).
Section 7: Start Web Browser Session to Mutillidae
1. On BackTrack, Open Firefox
Instructions:
1. Click on the Firefox Icon
Notes (FYI):
If FireFox Icon does not exist in the Menu Bar Tray, then go to
Applications > Internet > Firefox Web Browser
2. Open Mutillidae
Notes (FYI):
Replace 192.168.1.111 in the following URL >
http://192.168.1.111/mutillidae, with your Mutillidae's IP Address
obtained from (Section 3, Step 3)
Instructions:
1. http://192.168.1.111/mutillidae
Section 8: SQL Injection: Single Quote Test On Username Field
1. Go to Login
Instructions:
1. Click on Login / Register
2. Single Quote (') Test
Instructions:
1. Place a single quote (') in the Name Text Box (See Picture)
2. Click the Login Button
Note(FYI):
After you click the Login button you will receive some errors.
Continue to next step.

3. Analyze Single Quote (') Results
Note(FYI):
1. A single quote (') is a reserved SQL character that breaks the
below query by placing it in the Name textbox. The mere fact that
the query produces an error means their is a strong possibility
that the backend program is susceptible to a SQL Injection.
SELECT * FROM accounts WHERE username=''' AND password=''
2. Below is an example of a normal query
SELECT * FROM accounts WHERE username='admin' AND password='adminpass'
Section 9: SQL Injection: ByPass Password Without Username (Obtain Access #1)
1. Login Without Password
Instructions:
1. Place the following in the Name Textbox > ' or 1=1
Make sure you put a space after the " "
Note(FYI):
The string ' or 1=1 placed in the below query means the
following:
Search for username that is either equal to nothing OR where 1
is equal to 1. So, we created a condition that is always true
(OR 1=1). The " " string is a comment in SQL. We used this
trick to comment out the rest of the SQL query (AND
password=''), which eliminates that password authentication.
SELECT * FROM accounts WHERE username='' or 1=1‐‐ ' AND password=''
2. Verifying Results (Got Admin?)
Note(FYI):
1. Notice you are logged in as admin. Due to Mutillidae's code
design, we are logged in as admin, because admin is the first user
in accounts table.
2. In DVWA, as similar string (%' or '0'='0' ) displays the entire
list of application users due to its' code design.
3. Logout of Session
Instructions:
1. Click Logout (See Picture)
Section 9: SQL Injection: Single Quote Test On Password Field
1. Inspect Password Box Element
Instructions:
1. Click Login/Register
2. Name: samurai
3. Password: Right Click
4. Click the Inspect Element

2. Edit Password Box Element
Instructions:
1. Replace the string "password" with the word "text"
2. Minimize Firebug
3. Single Quote (') Test
Instructions:
1. Name: samurai
2. Place a single quote (') in the Password Text Box (See Picture)
Note(FYI):
Notice the Password textbox is no longer obfuscated and is now in
plaintext.
After you click the Login button you will receive some errors.
4. Analyze Single Quote (') Results
Note(FYI):
1. A single quote (') is a reserved SQL character that breaks the
below query by placing it in the Password textbox. The mere fact
that the query produces an error means their is a strong
possibility that the backend program is susceptible to a SQL
Injection.
SELECT * FROM accounts WHERE username='samurai' and password='''
2. Below is an example of a normal query
SELECT * FROM accounts WHERE username='samurai' AND password='samurai'

Section 10: SQL Injection: Single Quote Test On Password Field (Obtain Access #2)
Instructions:
2. Name: samurai
Instructions:
2. Minimize Firebug
3. Apply Always True Test to Password Textbox
Instructions:
1. Name: samurai
2. Password: ' or 1=1
Remember to put a space after the " ".
Note(FYI):
plaintext.
4. Verifying Results
Note(FYI):
1. Well, this is a head scratcher. On one hand I am glad I am logged
in, but I am should be logged in as samurai instead of admin.
2. Due to Mutillidae's code design, we are logged in as admin,
because admin is the first user in accounts table
5. Logout of Session
Instructions:
1. Click Logout (See Picture)
Section 11: SQL Injection: Single Quote Test On Password Field (Obtain Access #3)
Instructions:
2. Name: samurai
Instructions:
2. After size=, replace the string "20" with "50"
3. After maxlength=, replace the string "20" with "50"
4. Minimize Firebug
3. Apply Always True Test to Password Textbox
Instructions:
1. Name: samurai
2. Password: ' or (1=1 and username='samurai')
Remember to put a space after the " ".
Note(FYI):
plaintext
4. Verifying Results (Got Samurai?)
Note(FYI):
1. Notice you are logged in as Samurai thanks to some SQL
adjustments.
2. Good Stuff Man > ' or (1=1 and username='samurai')
Section 12: Database Practice
1. On Fedora, Start a Terminal Console
Instructions:
1. Applications > Terminal
2. Switch user to root
Instructions:
1. su root
2. <Whatever you set the root password to>
3. Log in to mysql
Instructions:
1. mysql uroot psamurai
2. show databases;
3. use nowasp;
Note(FYI):
show databases, provides you a database list.
use nowasp, lets the user select a particular database.
4. Examine the accounts table
Instructions:
1. show tables;
2. desc accounts;
Notes (FYI):
show tables, allows you to see all the tables in the nowasp
database.
desc accounts, allows you to see all the columns in the accounts
table.

5. View accounts table contents
Instructions:
1. select * from accounts;
Notes (FYI):
The above command lets you see all the records in the accounts
table.
6. Display Result Examples
Instructions:
1. select * from accounts where username = '' and password = '';
Note, all quotes are single quotes (');
2. select * from accounts where username = 'samurai' and password = 'samurai';
3. select * from accounts where username = 'samurai' and password = 'wrongpassword';
4. select * from accounts where username = 'samurai';‐‐ and password =
'wrongpassword';
Notes (FYI):
1. The first query is the actual stored procedure that Mutillidae
uses to verify username/password credentials.
2. The second query is an example of a successful authentication of
credentials. (Eg., username = 'samurai' and password = 'samurai')
3. The third query is an example of an unsuccessful authentication of
credentials. (Eg., username = 'samurai' and password =
'wrongpassword')
4. The forth query is an example of how to comment out the "and
password" clause of the Mutillidae stored procedure to
authenticate credentials.
7. Display Single Quote(') Test Results
Instructions:
1. select * from accounts where username = ''' and password = '';
2. ';
3. select * from accounts where username = '' or 1=1; ‐‐ and password = '';
Notes (FYI):
1. The first query is an example of (Section 8, Step 1).
2. Notice that the mysql shell continues to the next line, meaning
the statement is broken, which produced the errors seen in
(Section 8, Step 2). To get back to the mysql shell, we have to
complete the statement with a ( '; ).
3. The second query is an example (Section 9, Step 1). The ' or 1=1
produces an always true condition, and the ; ‐‐ comments/disables
the "and password clause.
8. Display Single Quote(') Test Results
Instructions:
1. select * from accounts where username = 'samurai' and password = '' or 1=1; ‐‐ ';
2. select * from accounts where username = 'samurai' and password = '' or (1=1 and username =
'samurai'); ‐‐ ';
Notes (FYI):
1. The first query is an example of (Section 10, Step 3). Do to the
code design of Mutillidae only one result is displayed in the
application. However, running this query directly in mysql will
yield all records.
2. The second query is an example (Section 11, Step 3). The ' or (1=1
and username = 'samurai'); ‐‐ produces an always true condition, and the
; ‐‐ comments/disables the "and password clause
Section 13: Proof of Lab
1. Proof of Lab, (On a Fedora Terminal)
Instructions:
1. mysql uroot psamurai
2. use nowasp;
3. select * from accounts where username = 'samurai' and password = '' or (1=1 and username =
'samurai'); ‐‐ ';
4. \! date
5. \! echo "Your Name"
Replace the string "Your Name" with your actual name.
e.g., echo "John Gray"
Proof of Lab Instructions
1. Press both the <Ctrl> and <Alt> keys at the same time.
2. Do a <PrtScn>
3. Paste into a word document
4. Upload to Moodle

Mutillidae - Lesson 5 - Manual SQL Injection With Firebug PDF

Uploaded by

Copyright:

Available Formats

You might also like

Mutillidae - Lesson 5 - Manual SQL Injection With Firebug PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mutillidae - Lesson 5 - Manual SQL Injection With Firebug PDF

Uploaded by

Copyright:

Available Formats

12/4/2016 Mutillidae: Lesson 5: Manual SQL Injection with Firebug

ComputerSecurityStudent (CSS) [Login] [Join Now]

HOME UNIX WINDOWS SECURITY TOOLS FORENSICS SHOPPING GET STARTED CONTACT US

You might also like