Friday, October 14, 2016

Mutillidae OWASP Top 10: A1 Injection - SQLi Extract Data

We can start web penetration testing on Metasploitable 2 by accessing Mutillidae over from the web browser of the Kali attacker machine.

Enter the address: <<metasploitable 2 IP address>>/ mutillidae

Mutillidae comes with all of the OWASP top 10 vulnerabilities found on real websites. You can safely practice on common web vulnerabilities on Mutillidae to give you a strong foundation of basic web attacks. 

We will exploit the web vulnerabilities in a sequence starting with A1.

Browse over to OWASP Top 10 > A1 - Injection > SQLi - Extract Data > User Info page. 

SQLi is a type of web attack whereby an attacker will insert an SQL query that will talk with the database of the application and can reveal/retrieve an entire database in favorable cases. 

Lets take a look at the most basic SQL Injection technique.

If you have browsed over to the user info page, it should look like this




A simple form with a username and password field. 


Trial and Error with Default Credentials


When you see such a form, always try out the defualt credentials first. At times you can succeed with default credentials because often they are not changed. for example, username:Admin and password: Admin are the common default passwords. There are tons of default passwords published online for you to try logging in with.

Great resources of default passwords can be gotten at phenoelit.org and defaultpassword.com.


Manipulating SQL Query Strings


Firstly we need to know how the query looks like to be able to manipulate it. Causing errors intentionally on the page can often reveal that information to us.  

On the "name" field enter an apostrophe ( ' ). This will cause an error and give you an output looking like this




From the error table, we can clearly see the SQL query that is used. The query needs a username AND password to be able to view details. 


SELECT * FROM accounts WHERE username=''' AND password=''
This statement will only be true if you know both the username and password

However since we don't have a username and password, we can simply use comments ( -- ) and an "OR" SQL operator to make the statement TRUE without needing the username and password. 


SELECT * FROM accounts WHERE username= ' OR 1=1 -- password=''

Break down:

  • The first apostrophe ( ' ) makes the username input blank. The statement is currently false.
  • But the "OR" operator tells the statement, if anything after it is true, then the whole query becomes true. 
  • "1=1" is a true condition. Just like 2 = 2 or 100 = 100. 
  • The "--" tells the statement to ignore out everything after it. 


So our favorable query would look like


SELECT * FROM accounts WHERE username= ' OR 1=1 -- 
TRUE statement

On the name field,  input: ' OR 1=1 -- 

Do you notice anything below the form? :)




It is important to be familiar with the SQL syntax. tutorialspoint is a great resource for quickly getting on your feet with SQL. 

You can measure your SQL skills by answering this question  - Why did it show us all of the username and passwords? Why not a couple of them or just one of them?


-Jayesh Kerai (@secjay)

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.