It is important to know the ways of attack to learn to defend your company.
Once identified the systems and services belonging to the network in question, the next step is to identify which one has known vulnerabilities or paths that can be exploited for the invasion. In this article we seek to exploit flaws in web applications.
Through vulnerabilities and attack vectors found we get access the database. We can trigger attacks aimed at obtaining unauthorized access with the highest level of privileges possible.
Python is a high-level language, multi-platform, very intuitive, it was created in 1991 by Guido Van Rossum for teaching programming. Python is an interpreted language such as Perl, Shell Script, among others. That means it is not necessary to compile the code for it to run. Object-oriented, it has extensive features library for processing XML and HTML, databases and more. One of Python's features is to be a strong typed language, thus a variable acquires a certain type and it is still that kind unless it is recreated.
The sqlmap is an open source tool to use SQLinjection technique, widely used by pentesters and developed in Python. Your goal is to automate the process of detecting and exploiting SQLinjection vulnerabilities in applications or Web sites, as it detects one or more SQL injections on a target, the user can choose from a variety of options that SQLmap available to explore the data stored within the DB, you can take complete control of database servers vulnerable web pages, including database outside the invaded system, such as extracting the list of users, passwords, privileges, tables and more... It has a powerful detection engine employing the latest and most devastating penetration testing techniques for SQL Injection and executing commands on the operating system via out-of-band connections.
Many web developers do not know how SQL queries can be handled and assume that an SQL query is a trusted command. This allows for SQL queries to circumvent access controls, thereby bypassing standard authentication and authorization checks. And sometimes SQL queries even may allow access to the command shell on the server operating system level.
Direct injection of SQL commands is a technique where an attacker creates or alters existing SQL commands to expose hidden data or to override valuable data, and even to execute dangerous system level commands on the server.
BWAPP and WebScarab
Apache (you can configure with xampp)
Sqlmap.py(if you use kali linuxsqlmap is ready to use ;)
What the reader will learn
The basics of SQLinjection
Pentest with python
Familiarity with security tools
Notes of author:
1) Move the directory(extract before) 'bWAPP' and its entire content to the root of your web server.
3) Give full permission to the folders 'passwords' and 'images'.
chmod 777 passwords/
chmod 777 images/
4) Edit the file 'admin/settings.php' with your own database connection settings.
$db_server = "localhost"; // your database server (IP/name), here 'localhost'
$db_username = "root"; // your MySQL user, here 'root'
$db_password = ""; // your MySQL password, here 'blank'
5) Browse to the file 'install.php' in the directory 'bWAPP'.
6) Click on 'here' (Click 'here' to install bWAPP).
The database 'bWAPP' will be created and populated.
7) Go to the login page. If you browse the bWAPP root folder you will be redirected.
8) Login with the default credentials or make a new user.
default credentials: bee/bug
Now you are ready to start, let’s hack ;)
STEP BY STEP
Figure 1) Use the command webscarab.(in kali linux)
Figure 2) The interface of webscarab.
Figure 3) Open BWAPP, the application vulnerable.
Figure 4) Open browser settings, for proxy configuration.
Figure 5) Choose, Manual proxy configuration and insert localhost port as 8080 and after click in OK.
Figure 6) Insert login and password in the application vulnerable, only variable show in webscarab.
Figure 8) Application authenticate
Figure 9)On themoment when application was intercept for webscarab.We can see methods post in WebScarab.
Figure 10) Search local that had place for inside data in application. "SEARCH FOR A MOVIE"
Figure 11) Insert data Letsgopentest.
Figure 12) Intercept Website with proxy.
Figure 13) Save all that was intercept.
Figure 14) Open, sqlmap and insert command sqlmap -r /root/Desktop/sqlinjection/conversations/7-request --dbs
Sqlmap = Tool that will use for run Sqlinjection.
-r = Command from sqlmap for give 7-request.
--dbs = Command from sqlmap for give database.
/root/Desktop/sqlinjection/conversations/ = Path that saved requisition captured "Webscarab"
7-request = Request vulnerable.
Figure 15) Now you can see the databases.
Figure 16) Database bWAPP
Figure 17) Command to list tables.
Figure 18) Tables
Figure 19) Command to see collumns
Figure 20) Collumns
Figure 21) Command to see users.
Figure 22) Tables users
Figure 23) Run command to dump tables.
Figure 24) Afterthis command, you can see the question about user other tools to get users.
Figure 25)Question about use dictionary attack
Figure 26) Choose dictionary you want use
Figure 27) Select Y
Figure 28) Run Dictionary
Figure 29) Dump users
Figure 30) Command for know the user: dba
Figure 31) User is DBA
Figure 32) Show user’s privilege
Figure 33) You can see user’s privilege
DOCUMENTATION AND REPORTING
It must be generated documentation throughout the test in order to keep records of all activities in a transparent way, information such as project scope, tools used, dates and times of tests, list of all identified and exploited vulnerabilities, as well recommendations for implementing improvements.
Information is an important and essential asset in the business environment. With the increased interconnectivity in organizations, information of the same become more exposed and therefore more susceptible to threats and vulnerabilities. There are several ways of how information is presented, stored and shared. Information security provides protection for these forms of information, ensuring continuity while minimizing risk and the return of business investment by implementing a set of appropriate controls. With the evolution and sophistication of various types of malicious attacks organizations are increasingly exposed to threats, making information security necessary to protect business assets.
About the authors:
Diego Barboza Pereira is Information Security Consultant at CIPHER Intelligence LAB with focus in Penetration Testing, Vulnerability Assessment, Analysis and Mitigation. He is a Computer Engineer and has interest in Web Application Security field. Holds certification about security tests in SUSE Certified Linux Administrator,LPIC-1 Junior Level Linux Certification, ISFS - Information Security Foundation based on ISO/IEC 27002, systems and attended many projects for banks and companies of Brazil and He's has channel in YouTube about Security information called Letsgopentest.
Rafael Fontes Souza is Information Security Consultant at CIPHER Intelligence LAB with focus in Penetration Testing, Vulnerability Assessment, Analysis and Mitigation.
Good communication in groups and the general public, started studying with thirteen years(SQL database), member of French Backtrack Team, helps to increase the safety and develop softwares for HackersOnlineClub(Indian).
Contributes to magazines and websites with articles and interviews from countries like Poland, Pakistan, USA and Indonesia.
Accepted speaker in many security conferences and related events as DefCamp, Secure Brasil, Hack in The Box, ISSA, ICSN, Hack Miami, CyberSecurePakistan, Ciberguard and others.