Wednesday, January 31, 2024

DVWA: SQL injection walkthrough (Low security mode)

In this blog, I am going to carry out a walkthrough of DVWA's SQL injection vulnerability.

Step 1: Do the following shown in Screenshot 1 below if DVWA is hosted in Localhost using XAMPP.

Screenshot 1: Commands used to start XAMPP.

Step 2: Login as admin with password:password into DVWA when at login page.

Screenshot 2


Step 3: First, go to DVWA Security and select low setting. In the low setting, the code for DVWA SQL injection will be completely vulnerable to attacks because there is no security measures at all.


Screenshot 3


Step 4: Going back to the SQL injection page, I am to go through a normal usage case, where I am to enter any integer number regarding the User ID to retrieve the User's First and SurName that is associated with the User ID. In this Case, I got Gordon Brown (Screenshot 4) as the User name according to the database shown in Screenshot 5.

Screenshot 4

Screenshot 5



Step 5: In this Step, I am to enter the string %' or '0'='0 as shown in the screenshot below. In this sceanario, I will be displaying all records as "Always True" regardless of the query (Screenshot 6).

The query will go from:

SELECT first_name, last_name FROM users WHERE user_id = '$id';
to 
SELECT first_name, last_name FROM users WHERE user_id = '%' or '0'='0';

The first part of the SQL statement is the SELECT portion, in this case it tells the database to select the info from the first_name and last_name columns from the users table.

The next part of the SQL statement is the WHERE clause which specifies the condition to look for possibly one or more matching row(s).

Note how the $id variable which contains what the user entered in the text box. So from the previous step, $id should contain :

%' or '0'='0

Screenshot 6

Step 6: To view the version of the database that is in use, I can use the version() function, which is part of my input in Screenshot 7.

%' union select null, version() #

Substitution approach: In the example query, the user input is %' union select null, version() #. When this is substituted into the query, the query becomes:

SELECT first_name, last_name FROM users WHERE user_id = '%' union select null, version() #;


Screenshot 7

% is a wildcard character in SQL. It can be used to match any character or sequence of characters.
UNION is an SQL operator that combines the results of two or more SELECT statements into a single result set.
NULL is a special value in SQL that represents the absence of a value.


Step 7: To retrieve the name of the database associated with the query, I can use the database() function in input %' union select null, database() #. 

Screenshot 8

As shown in Screenshot 8, Using the substitution approach, I can tell that the query will become $query  = "SELECT first_name, last_name FROM users WHERE user_id = '%' union select null, database() #';"; from $query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';". By doing this, the first name will be returned with NULL while the surname will be returned as the DB name after two statements are combined using UNION function.

Step 8: To obtain the current username of the Linux/Kali/Ubuntu account using the DVWA Website, I can use the user() function as part of the input %' union select null, user() # at Screenshot 9.

Screenshot 9

Step 9: To extract the list of tables in the database that is associated with the original query, I need to enter the input %' and 1=0 union select null, table_name from information_schema.tables # to display as shown in Screenshot 10.

Screenshot 10

Step 10: There are a few more queries that can be done to drill further into the database schema. Eventually we arrive at this SQLi query as shown in Screenshot 11: 

%' and 1=0 union select null,concat(first_name,0x0a,last_name,0x0a,user, 0x0a,password) from users #


Screenshot 11

a. 0x0a is a hexadecimal representation of a newline character in ASCII. It is used in the query to separate the values of first_name, last_name, user, and password fields by a newline character.
b. concat is a SQL function used to concatenate two or more strings into a single string. In this query, it is used to combine the values of first_name, last_name, user, and password fields into a single string with newline characters in between.

Step 11: After obtaining the password hashes like shown in screenshot 5, I copied them into a txt file called ben10.txt shown in screenshot 12. From there, I've used John the ripper to crack the user passwords shown in Screenshot 13. 

Screenshot 12

Screenshot 13
Step 12: At Screenshot 14, to be able to crack the same password again, I have to Clear the John.pot file by removing it from the directory. Once John the Ripper has cracked a couple of passwords, the passwords will be stored in the John Pot file.

Screenshot 14

Screenshot 15

https://www.openwall.com/john/doc/FAQ.shtml
https://charlesreid1.com/wiki/John_the_Ripper/Password_Recovery


at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Japan Trip March 2024: Day 3 - Kyoto

About the Day Today, is my first day in the Kyoto for this Japan Trip. In the morning, I went to Arashiyama. After lunch at Arashiyama, I we...