miércoles, 31 de mayo de 2023

Learning Web Pentesting With DVWA Part 3: Blind SQL Injection

In this article we are going to do the SQL Injection (Blind) challenge of DVWA.
OWASP describes Blind SQL Injection as:
"Blind SQL (Structured Query Language) injection is a type of attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.
When an attacker exploits SQL injection, sometimes the web application displays error messages from the database complaining that the SQL Query's syntax is incorrect. Blind SQL injection is nearly identical to normal , the only difference being the way the data is retrieved from the database. When the database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions. This makes exploiting the SQL Injection vulnerability more difficult, but not impossible."
To follow along click on the SQL Injection (Blind) navigation link. You will be presented with a page like this:
Lets first try to enter a valid User ID to see what the response looks like. Enter 1 in the User ID field and click submit. The result should look like this:
Lets call this response as valid response for the ease of reference in the rest of the article. Now lets try to enter an invalid ID to see what the response for that would be. Enter something like 1337 the response would be like this:

We will call this invalid response. Since we know both the valid and invalid response, lets try to attack the app now. We will again start with a single quote (') and see the response. The response we got back is the one which we saw when we entered the wrong User ID. This indicates that our query is either invalid or incomplete. Lets try to add an or statement to our query like this:
' or 1=1-- -
This returns a valid response. Which means our query is complete and executes without errors. Lets try to figure out the size of the query output columns like we did with the sql injection before in Learning Web Pentesting With DVWA Part 2: SQL Injection.
Enter the following in the User ID field:
' or 1=1 order by 1-- -
Again we get a valid response lets increase the number to 2.
' or 1=1 order by 2-- -
We get a valid response again lets go for 3.
' or 1=1 order by 3-- -
We get an invalid response so that confirms the size of query columns (number of columns queried by the server SQL statement) is 2.
Lets try to get some data using the blind sql injection, starting by trying to figure out the version of dbms used by the server like this:
1' and substring(version(), 1,1) = 1-- -
Since we don't see any output we have to extract data character by character. Here we are trying to guess the first character of the string returned by version() function which in my case is 1. You'll notice the output returns a valid response when we enter the query above in the input field.
Lets examine the query a bit to further understand what we are trying to accomplish. We know 1 is the valid user id and it returns a valid response, we append it to the query. Following 1, we use a single quote to end the check string. After the single quote we start to build our own query with the and conditional statement which states that the answer is true if and only if both conditions are true. Since the user id 1 exists we know the first condition of the statement is true. In the second condition, we extract first character from the version() function using the substring() function and compare it with the value of 1 and then comment out the rest of server query. Since first condition is true, if the second condition is true as well we will get a valid response back otherwise we will get an invalid response. Since my the version of mariadb installed by the docker container starts with a 1 we will get a valid response. Lets see if we will get an invalid response if we compare the first character of the string returned by the version() function to 2 like this:
1' and substring(version(),1,1) = 2-- -
And we get the invalid response. To determine the second character of the string returned by the version() function, we will write our query like this:
1' and substring(version(),2,2) = 1-- -
We get invalid response. Changing 1 to 2 then 3 and so on we get invalid response back, then we try 0 and we get a valid response back indicating the second character in the string returned by the version() function is 0. Thus we have got so for 10 as the first two characters of the database version. We can try to get the third and fourth characters of the string but as you can guess it will be time consuming. So its time to automate the boring stuff. We can automate this process in two ways. One is to use our awesome programming skills to write a program that will automate this whole thing. Another way is not to reinvent the wheel and try sqlmap. I am going to show you how to use sqlmap but you can try the first method as well, as an exercise.
Lets use sqlmap to get data from the database. Enter 1 in the User ID field and click submit.
Then copy the URL from the URL bar which should look something like this
http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit
Now open a terminal and type this command:
sqlmap --version
this will print the version of your sqlmap installation otherwise it will give an error indicating the package is not installed on your computer. If its not installed then go ahead and install it.
Now type the following command to get the names of the databases:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id
Here replace the PHPSESSID with your session id which you can get by right clicking on the page and then clicking inspect in your browser (Firefox here). Then click on storage tab and expand cookie to get your PHPSESSID. Also your port for dvwa web app can be different so replace the URL with yours.
The command above uses -u to specify the url to be attacked, --cookie flag specifies the user authentication cookies, and -p is used to specify the parameter of the URL that we are going to attack.
We will now dump the tables of dvwa database using sqlmap like this:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id -D dvwa --tables
After getting the list of tables its time to dump the columns of users table like this:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id -D dvwa -T users --columns
And at last we will dump the passwords column of the users table like this:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id -D dvwa -T users -C password --dump
Now you can see the password hashes.
As you can see automating this blind sqli using sqlmap made it simple. It would have taken us a lot of time to do this stuff manually. That's why in pentests both manual and automated testing is necessary. But its not a good idea to rely on just one of the two rather we should leverage power of both testing types to both understand and exploit the vulnerability.
By the way we could have used something like this to dump all databases and tables using this sqlmap command:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id --dump-all
But obviously it is time and resource consuming so we only extracted what was interested to us rather than dumping all the stuff.
Also we could have used sqlmap in the simple sql injection that we did in the previous article. As an exercise redo the SQL Injection challenge using sqlmap.

References:

1. Blind SQL Injection: https://owasp.org/www-community/attacks/Blind_SQL_Injection
2. sqlmap: http://sqlmap.org/
3. MySQL SUBSTRING() Function: https://www.w3schools.com/sql/func_mysql_substring.asp

More articles


Publicado por en No hay comentarios:

How Do I Get Started With Bug Bounty ?

How do I get started with bug bounty hunting? How do I improve my skills?



These are some simple steps that every bug bounty hunter can use to get started and improve their skills:

Learn to make it; then break it!
A major chunk of the hacker's mindset consists of wanting to learn more. In order to really exploit issues and discover further potential vulnerabilities, hackers are encouraged to learn to build what they are targeting. By doing this, there is a greater likelihood that hacker will understand the component being targeted and where most issues appear. For example, when people ask me how to take over a sub-domain, I make sure they understand the Domain Name System (DNS) first and let them set up their own website to play around attempting to "claim" that domain.

Read books. Lots of books.
One way to get better is by reading fellow hunters' and hackers' write-ups. Follow /r/netsec and Twitter for fantastic write-ups ranging from a variety of security-related topics that will not only motivate you but help you improve. For a list of good books to read, please refer to "What books should I read?".

Join discussions and ask questions.
As you may be aware, the information security community is full of interesting discussions ranging from breaches to surveillance, and further. The bug bounty community consists of hunters, security analysts, and platform staff helping one and another get better at what they do. There are two very popular bug bounty forums: Bug Bounty Forum and Bug Bounty World.

Participate in open source projects; learn to code.
Go to https://github.com/explore or https://gitlab.com/explore/projects and pick a project to contribute to. By doing so you will improve your general coding and communication skills. On top of that, read https://learnpythonthehardway.org/ and https://linuxjourney.com/.

Help others. If you can teach it, you have mastered it.
Once you discover something new and believe others would benefit from learning about your discovery, publish a write-up about it. Not only will you help others, you will learn to really master the topic because you can actually explain it properly.

Smile when you get feedback and use it to your advantage.
The bug bounty community is full of people wanting to help others so do not be surprised if someone gives you some constructive feedback about your work. Learn from your mistakes and in doing so use it to your advantage. I have a little physical notebook where I keep track of the little things that I learnt during the day and the feedback that people gave me.


Learn to approach a target.
The first step when approaching a target is always going to be reconnaissance — preliminary gathering of information about the target. If the target is a web application, start by browsing around like a normal user and get to know the website's purpose. Then you can start enumerating endpoints such as sub-domains, ports and web paths.

A woodsman was once asked, "What would you do if you had just five minutes to chop down a tree?" He answered, "I would spend the first two and a half minutes sharpening my axe."
As you progress, you will start to notice patterns and find yourself refining your hunting methodology. You will probably also start automating a lot of the repetitive tasks.

More info


Publicado por en No hay comentarios:

Gotanda - Browser Web Extension For OSINT


Gotanda is OSINT(Open Source Intelligence) Web Extension for Firefox/Chrome.

This Web Extension could search OSINT information from some IOC in web page.(IP,Domain,URL,SNS...etc)

This Repository partly the studying and JavaScript practice.

Download link below.


Usage

Right click highlighted IOC strings, It will show contextmenus.(Or right clicking any link. )

When You want to search using some engine, You choose one of list.


Search Engine List
Name URL Category
Domain Tools https://whois.domaintools.com/ whois Lookup
Security Trails https://securitytrails.com/ whois lookup
whoisds https://whoisds.com/ whois lookup
ThreatCrowd https://www.threatcrowd.org/ Domain, IPv4
AbuseIPDB https://www.abuseipdb.com/ IPv4
HackerTarget https://hackertarget.com/ IPv4
Censys https://censys.io/ IP, Domain
Shodan https://shodan.io/ IP, Domain
FOFA https://fofa.so/ IP, Domain
VirusTotal https://virustotal.com/ IP, Domain, URL,Hash
GreyNoise https://viz.greynoise.io/ IPv4
IPAlyzer https://ipalyzer.com/ IPv4
Tor Relay Search https://metrics.torproject.org/ IP,Domain
Domain Watch https://domainwat.ch/ Domain, Email,whois lookup
crt.sh https://crt.sh/ SSL-certificate
SecurityHeaders https://securityheaders.com/ URL, Domain
DNSlytics https://dnslytics.com/ IPv4,IPv6,ASN
URLscan https://urlscan.io/ URL
Ultratools https://www.ultratools.com/ IPv6
Wayback Machine https://web.archive.org URL
aguse https://www.aguse.jp/ URL
check-host https://check-host.net/ URL
CIRCL https://cve.circl.lu/ CVE
FortiGuard https://fortiguard.com/ CVE
Sploitus https://sploitus.com/ CVE
Vulmon https://vulmon.com/ CVE
CXSecurity https://cxsecurity.com/ CVE
Vulncode-DB https://www.vulncode-db.com/ CVE
Malshare https://malshare.com/ MD5 Hash
ThreatCrowd https://www.threatcrowd.org/ IP,Domain
Hybrid Analysis https://www.hybrid-analysis.com/ hash
Twitter https://twitter.com/ SNS, w/TimeLine
Qiita https://qiita.com SNS
GitHub https://github.com SNS
Facebook https://www.facebook.com/ SNS, w/TimeLine
Instagram https://www.instagram.com/ SNS
LinkedIn https://linkedin.com/ SNS
Pinterest https://www.pinterest.jp SNS
reddit https://www.reddit.com/ SNS

About Twitter and FaceBook could search timeline with any words.


Misc

This extension is optimized for the Japanese environment.

More information
  1. Hacking Tools For Kali Linux
  2. Pentest Tools Subdomain
  3. Hacker Tools Linux
  4. Pentest Tools Windows
  5. Hacking Tools Windows 10
  6. Hacker Tools For Windows
  7. Tools 4 Hack
  8. Hacking Tools For Windows Free Download
  9. Hacking Tools Github
  10. Hacking Tools For Mac
  11. Termux Hacking Tools 2019
  12. Pentest Tools List
  13. Pentest Tools For Windows
  14. Hacker Search Tools
  15. Pentest Tools Port Scanner
  16. Pentest Tools Port Scanner
  17. How To Make Hacking Tools
  18. Kik Hack Tools
  19. Black Hat Hacker Tools
  20. Pentest Box Tools Download
  21. Growth Hacker Tools
  22. Hacker Tools Free Download
  23. Tools Used For Hacking
  24. Pentest Box Tools Download
  25. Pentest Tools For Ubuntu
  26. Pentest Tools Free
  27. Hacking Tools Windows
  28. Best Hacking Tools 2019
  29. Hacking Tools And Software
  30. Nsa Hacker Tools
  31. Hack Tools For Pc
  32. Hacker Tools Free
  33. Hack Tools For Mac
  34. Pentest Tools For Windows
  35. Hacker Tools 2020
  36. Hacks And Tools
  37. World No 1 Hacker Software
  38. World No 1 Hacker Software
  39. Hacking Tools Pc
  40. Hack Tools Online
  41. Ethical Hacker Tools
  42. Hack Tools Mac
  43. Hacking Tools Hardware
  44. New Hack Tools
  45. Hack Tools For Pc
  46. Hacker Techniques Tools And Incident Handling
  47. Pentest Recon Tools
  48. Hacker Tools Github
  49. Bluetooth Hacking Tools Kali
  50. Hackers Toolbox
  51. Hacker Tools Free
  52. Pentest Tools Review
  53. Hacking Tools Windows 10
  54. Hacking Tools For Games
  55. Hacker Tools For Windows
  56. Hack Apps
  57. Hacker Tools For Mac
  58. Hack Tools For Ubuntu
  59. World No 1 Hacker Software
  60. Hackrf Tools
  61. Physical Pentest Tools
  62. How To Hack
  63. Pentest Tools
  64. Hack Apps
  65. Hacker Tools For Mac
  66. Pentest Tools For Android
  67. Pentest Tools Nmap
  68. Hacking Tools Mac
  69. Hackrf Tools
  70. Pentest Tools
  71. Github Hacking Tools
  72. Physical Pentest Tools
  73. Usb Pentest Tools
  74. Best Hacking Tools 2020
  75. Pentest Tools List
  76. Physical Pentest Tools
  77. Pentest Tools For Ubuntu
  78. Hacking Apps
  79. Hack Rom Tools
  80. Hacking Tools Kit
  81. How To Make Hacking Tools
  82. Hacking Tools Software
  83. Hack Website Online Tool
  84. How To Hack
  85. Hack Tools Mac
  86. Nsa Hacker Tools
  87. Hacker Tools Online
  88. Pentest Tools Android
  89. Hacker Tools Apk
  90. Hacking Tools Free Download
  91. Hack App
  92. Pentest Recon Tools
  93. Tools For Hacker
  94. Blackhat Hacker Tools
  95. Hacker Tools 2020
  96. Pentest Tools Find Subdomains
  97. Pentest Tools Github
  98. Hacking Tools Name
  99. What Are Hacking Tools
  100. Hacker Tools Free
  101. Hack Tools Download
  102. Hackrf Tools
  103. Hacking Tools For Windows 7
  104. Hacker Search Tools
  105. Nsa Hack Tools
  106. Hacking Apps
  107. Hack Tools Online
  108. Hack And Tools
  109. Hack Rom Tools
  110. Hacking Tools Hardware
  111. How To Hack
  112. Hacking Tools Hardware
  113. World No 1 Hacker Software
  114. Tools 4 Hack
  115. Black Hat Hacker Tools
  116. Physical Pentest Tools
  117. Github Hacking Tools
  118. Black Hat Hacker Tools
  119. Game Hacking
  120. Pentest Tools Alternative
  121. Hacking Tools 2020
  122. Hack Tools Online
  123. Nsa Hack Tools Download
  124. Pentest Tools Port Scanner
  125. Hack Tools For Pc
  126. Hacking Tools 2020
  127. Hacker Hardware Tools
  128. Hacking Tools Download
  129. Nsa Hack Tools
  130. Hackrf Tools
  131. Hak5 Tools
  132. Pentest Tools
  133. What Are Hacking Tools
  134. Pentest Tools Port Scanner
  135. Nsa Hacker Tools
  136. Hacker Tools
  137. Hack Tools Pc
  138. Computer Hacker
  139. Hack Tools For Ubuntu
  140. Blackhat Hacker Tools
  141. Hacking Tools Online
  142. Hacking Tools For Games
  143. Pentest Tools Github
  144. Hack Tools For Ubuntu
  145. Hacker
  146. Hacker Tools For Mac
  147. Hack Tools For Games
  148. Hacking Tools For Windows 7
  149. Pentest Recon Tools
Publicado por en No hay comentarios:
Suscribirse a: Entradas (Atom)