Thursday, February 27, 2014

[infosecinstitute] Manual Web Application Penetration Testing – Blind SQL Injection with SQLmap

In this part of the series I am going to focus only on SQL injection. I assume that you already know about normal SQL injection, which I have shown already in my earlier parts, where you are giving input to the different parameters and waiting for the server to react to you, then you use a suffix and prefix in order to inject into the database. In this section we are moving a little bit forward, and I am going to talk about blind SQL injection. However, for those who do not have any background knowledge of this, go to Wikipedia and check it manually. For this part of my series you must have a registered account in NOWASP Mutillidae. So make sure you register if you do not have it.

Preface of SQL Injection
This is a method of injecting SQL commands from web interface, but not through any direct connection to the database. We give input in such a way that the backend database handler executes our queries as a SQL command. Here I will be focusing a little on basic injection, and then I will shift my gears toward blind SQL injection.
Show Time
Here I am logged in as “jonnybravo” username and “momma” as a password. Now I will go to a user lookup page, which is lying under OWASP 2013 > A1 SQL Injection > Extract data > User Info. Now, to see the user info, give your ID and Password and you will be able to see the user info as it now shows in my pic below.
Now, as I mentioned in my previous articles, this page is vulnerable to SQL injection, so I am going to try various injections to manipulate the database. For this I am going to use the mixture of suffix and prefix as I mentioned in my previous articles. My injection will be as follows:
Username: jonnybravo’ or 1=1; –
What this injection is going to do is ask for the name jonnybravo from the database, and as soon as it asks for the record in the database, I will terminate the query and write OR because it is an “if statement”, which will be always true if I give “or 1=1″. The rest of the statement after ” will become true until the end of the query. 1=1 is to get the every single record from the database. And then ; — is to close the query. It means we are telling the database that there is not any further query after this.
Figure 1: Watching User Info with legitimate credentials
Here I injected the payload and the server disclosed all entries from its database on the webpage.
Figure 2 : Injected Payload Discloses all entries from the database
Up to now I have shown you a basic SQL injection, now I am going forward with the SQLmap tool which is rebuilt in BackTrack and Samurai penetration testing distros. To run the SQLmap tool simply open a terminal and type SQLmap and then hit enter. The screen will look like below.
First and foremost, if you are new to SQLmap then you don’t need to worry, but if you have used this tool previously, kindly remove previous output files by giving –purge-output command in SQLmap so it becomes easy to find and navigate our current testing. It is as follows:
Figure3: Removfromcurrent output files form SQLmap output directory
Now here I am going to do something more unique than usual. Normally people try SQLmap with the direct URL. I am going to use this tool to analyze the request. I will use Burp to see the request and will save that in one text file. Then I will invoke that text file in SQLmap and let it do its work. This is the preface of my work. The first thing I need to do is to get a request. So here is the following request.
GET /chintan/index.php?page=user-info.php&username=jonnybravo&password=momma&user-info-php-submit-button=View+Account+Details HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: showhints=0; username=jonnybravo; uid=19; PHPSESSID=f01sonmub2j9aushull1bvh8b5
Connection: keep-alive
I saved this request in a text file, and then I sent that in KALI Linux. To pass this request header to SQLmap, the command is as follows.
SQLmap –r ~/root/Desktop/header.txt
Self-Critical Evaluation
This is where the –r option is used to read a request file and ~/root/Desktop/header.txt is just a location of the file. If you are working with VMware in which KALI is separate and your Windows is separate, on which a vulnerable application is lying about, then you might see some error as shown in the figure below.
We have to give an IP address in the request header in order to communicate with my XP machine from my KALI Linux. So I am changing my host as I mentioned in the pic below.
Now if you try, then it will work like as follows:
Basically, what this tool does is analyze the request and determine the first parameter in this request. Then it I will try all of its tests on that parameter in order to find the type of database the server currently has. As per our request, SQLmap will test the first page parametesr and apply all tests on that first.
GET /chintan/index.php?page=user-info.php&username=jonnybravo&password=momma&user-info-php-submit-button=View+Account+Details HTTP/1.1
SQLmap is capable of trying various database types such as ‘MySQL’, ‘Oracle, SQL’, ‘PostgreSQL’, ‘Micirosft SQL Server’ etc.
Here is the list of databases on which my SQLmap is currently testing the request given by me.
First, it will identify if a given parameter is injectable or not. In our case, we have set the security of NOWASP mutillidae very 0. So it is injectable. And SQLmap has also assumed that the backed database could be DBMS or MYSQL.
Look at the picture. The tool identifies that the backend database could be MYSQL, and that is why it is asking to skip the rest of the database testing.
“In our particular case, we also know that backend database is MYSQL. So I am skipping the rest of the database testing by giving the proper option.”
Now we are asked to include all payloads for the MySQL test. I want to include all payloads for it, so I am giving the ‘yes’ option.
After testing some payloads, it has identified that there is an error based injection and Boolean based blind injection on GET parameter.
Now it shows that GET parameter username is an injectable of a MySQL union-based query, so I am skipping all other tests on this and digging deep into that.
Now our tool has identified that these are the possible application injection points from where you should start digging.
Now I will dig more into the username parameter by giving this command in the SQLmap tool. From all of the above injection points and payloads, we are going to use a Boolean based blind SQL injection technique on the username parameter. To use technique, there is a –technique option in the SQLmap tool. Different options which can be used by technique are given below.
B : Boolean based blind
Q : Inline queries
T : time based blind
U : Union query based
E : error based
S : stack queries
We are also giving the parameter name which is ‘username’ in our case. So my given command will be as follows:
SQLmap –r ~root/Desktop/header.txt – -technique B – -p username – -current-user
Here –p option stands for the parameter value in which we are injecting. ‘Current user’ option is forcing SQLmap to pull out the current user which MYSQL server uses to login into the database system. The output of the above query will be as follows:
You can also see that it has also identified the operating system name, DBMS server and the programming language is used for the application.
“At this point, let me make it clear to you that we are just sending and receiving requests to the web server. It is just a client-server interaction. We are not directly interacting with the database management system. However, SQLmap is able to identify these juicy information from the backend.
“Also make sure that this SQL injection and the previous SQL injection are different. In the previous one, we have used suffix and prefix, which are not used here. Previously we were giving inputs and we were expecting those inputs to come back at the client side, so that we can identify the entry points. Here we are giving such TRUE inputs through which we can determine the response of an application, that’s how it revert back to us.”
Analysis of Results
Now we have been given the current username which is a local host. Let us identify what it has done in the backend. It worked on an “if” statement which is mentioned in the above picture. It has parsed the “if” query through which it is checking if the username is equal to jonnybravo and 7333 = 7333 and so on. So instead of 7333, SQLmap started taking different characters, and new request became as follows:
page=user-info.php?username=’jonnybravo’ AND ‘a’='a’ etc.. FALSE
page=user-info.php?username=’jonnybravo’ AND ‘l’='l’ etc.. TRUE
page=user-info.php?username=’jonnybravo’ AND ‘s’='s’ etc.. TRUE
page=user-info.php?username=’jonnybravo’ AND ‘b’='b’ etc.. FALSE
As you can see, the first and last query resulted in false, and the other two queries resulted in true. It is because our current username is root@localhost and it consists of the letter ‘l’ and ‘s’. Thus, how it checks all alphabets and gives us the username.
“This is the username which is used to authenticate the webserver to the SQL server. This kind of thing should not be exposed at the client side by any attack. However, we got that. Let’s move forward.”
As we have got the username, now we will simply ask it to fetch the password for this particular username. So we will remove –current-user option and instead of that we will add two more options which are –U and –passwords. –U stands for specifying the username and –passwords asks SQLmap to get the password of this particular username which we are specifying. So whole final query becomes like this.
SQLmap –r ~root/Desktop/header.txt – -technique B – -p username –U root@localhost –passwords
The output is shown in the picture below.
Self-Critical Evaluation
Sometimes it may possible that you do not get a password and just get NULL in the output. It is because the system administrator might not have set the authentication credentials for that particular username. In that case, if you are trying this at your localhost, by default, there will not be a password for this root@localhost username. In that case, you have to set up the password, which comes under MySQL(database) and user(table). You will see the listing below, and you can double click in the password field in order to add a password. Or you can simply give the below query into the database and it will directly update the result in the row.
I set this ‘sysadmin’ password in my table, and that is why SQLmap is able to fetch it, otherwise it would have shown NULL only in the output.
So this is how you can get the login credentials of administrator without actually interacting directly with the database server.
So this is called blind SQL injection, which is more tedious and somehow hard to detect and exploit in the most cases. Now you know the difference between traditional SQL injection and blind SQL injection. In this type of scenario, we are just passing inputs and waiting to see if the response is coming in a traditional way or not. Then, we try our luck there in order to inject it. This is a completely different method than that previous one.

No comments:

Post a Comment