SQL Injection (I): Authentication bypass

SQL INJECTION (I): AUTHENTICATION BYPASS

- Layout for this exercise:






1 - SQL INJECTION

- An SQL injection attack consists of insertion or "injection" of either a partial or complete SQL query via the data input or transmitted from the client (browser) to the web application. 

https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)

https://en.wikipedia.org/wiki/SQL_injection

- A successful SQL injection attack can read sensitive data from the database, modify database data (insert/update/delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file existing on the DBMS file system or write files into the file system, and, in some cases, issue commands to the operating system. 

- SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands.

- A successful SQL Injection attack requires the attacker to craft a syntactically correct SQL Query. 

- If the application returns an error message generated by an incorrect query, then it may be easier for an attacker to reconstruct the logic of the original query and, therefore, understand how to perform the injection correctly. 


- However, if the application hides the error details, then the attacker must be able to reverse engineer the logic of the original query.


2 - AUTHENTICATION BYPASS

- This type of SQL Injection tries to gain access to a database by inserting SQL Queries within the input fields of a login application, so that the security mechanism is bypassed. 

- Let's take as victim example this demo banking account login page:

http://demo.testfire.net/bank/login.aspx

- Because it is a demo webpage we know in advance that this database holds a record like this:




- Let's start by examining an usual login SQL query:

SELECT account FROM USERS WHERE username = 'admin' AND password = 'admin'

- The boolean statement username = 'admin' AND password = 'admin' is only TRUE when both boolean operators are TRUE (1 AND 1 = 1).

- In this way, entering the correct credentials admin/admin for both the username and password fields the access is correct:






- However, if one the operators is FALSE (password = '12345') the whole statement falls to FALSE (1 AND 0 = 0):

SELECT account FROM USERS WHERE username = 'admin' AND password = '12345'


- So, entering incorrect credentials like admin/12345 the login process fails:



- By the way, entering a simple quotation mark character (') is a good way to discover if the application is prone to SQL Injection, like it is the case:





- Taking advantage of the SQL query boolean structure, we can forge the credentials so that the whole statement becomes TRUE. For instance:

SELECT account FROM USERS WHERE username = 'admin' AND password = 'x' or 'a'='a'


- Let's notice that 'x' or 'a'='a' is always TRUE (x OR 1 = 1), so the whole statement again would be TRUE (1 AND 1 = 1)

- Checking that a crafted password like x' or 'a'='a gives access to the database:




- Even more, using x' or 'a'='a both for username and password (x' or 'a'='a / x' or 'a'='a) also does the trick of giving access to the database:







- In this final case what we actually have is this:

SELECT account FROM USERS WHERE username =  'x' or 'a'='a' AND password = 'x' or 'a'='a'


- The SQL query always falls to TRUE, because both AND operators are TRUE (1 AND 1 = 1). In other words:

SELECT account FROM USERS WHERE TRUE AND TRUE

Installing XAMPP and DVWA at Linux Ubuntu 17.10.1

INSTALLING XAMPP AND DVWA AT LINUX UBUNTU 17.10.1




- The goal of this exercise is to install the XAMPP web server plaftorm and DVWA web vulnerable application at the Ubuntu 17.10.1 Linux distro.

1 - XAMPP

- XAMPP is a free and open source cross-platform web server solution stack package developed by Apache Friends, consisting mainly of the Apache HTTP Server, MySQL/MariaDB database, and interpreters for scripts written in the PHP and Perl programming languages.

- XAMPP stands for Cross-Platform (X), Apache (A), MySQL/MariaDB (M), PHP (P) and Perl (P). 

- The version 5.6.34 using MySQL can be downloaded from here:

https://sourceforge.net/projects/xampp/files/XAMPP%20Linux/5.6.34/






- Giving executable permissions to the XAMPP installer:





- Running the installation:






- Going to /opt/lampp, where XAMPP has been installed:




- Starting Apache, MySQL and FTP services at XAMPP:





2 - DAMN VULNERABLE WEB APP (DVWA)

- Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is "damn vulnerable". 

- Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

http://www.dvwa.co.uk/

https://github.com/ethicalhack3r/DVWA





- Downloading the application:




- Extracting to the folder webtest:











- Renaming DVWA-master to dvwa, for greater ease of use:







- Now, the whole folder dvwa must be copied to the /opt/lamp/htdocs directory, where web site related content is stored by XAMPP:






- Setting up the DVWA Database:








- However, there is an error because not using the correct credential, so config.inc.php file must be edited:







- Creating a new config.inc.php:





- Editing config.inc.php:






- The line regarding db_password must be altered:




- Also, for future exercises let's establish the security level to "low":




- Resetting the database the installation is now successful: 






- Finally, the DVWA login page is available:





- Entering the credentials admin:password:

Extracting and decrypting an HTTP capture with Tcpxtract / FCrackKZIP

EXTRACTING AND DECRYPTING AN HTTP CAPTURE WITH TCPXTRACT / FCRACKZIP

- Layout for this  exercise:




1 - Tcpxtract / FCrackZip

- tcpxtract is a tool for extracting files from network traffic based on file signatures.

- Extracting files based on file type headers and footers (sometimes called "carving") is an age old data recovery technique. 

- tcpxtract uses this technique specifically for the application of intercepting files transmitted across a network. 

- To download and install tcpxtract:

http://www.toolwar.com/2014/01/tcpxtract-network-traffic-extracting.html

- FCrackZip is a zip password cracking tool.

- To download and install FCrackZip:

http://www.toolwar.com/2013/10/fcrackzip-tools.html

2 - Transferring a password protected file from Ubuntu to Kali Linux

- Protecting with a password a zipped file, composed of a text and a picture, and storing at the Ubuntu Apacher server:




- Now, let's enable Wireshark at Kali so that the transfer can be captured:




- Now, opening a browser at Kali, let's download the file instrument.zip from Ubuntu:




- The file transfer is successful:




- Wireshark has captured the transfer beetween both devices and created a .pcap file:




- Saving capture.pcap for further treatment:





3 - Extracting a Wireshark capture with tcpxtract

- Extracting capture.pcap with tcpxtract and outputting to the folder data:









- Checking the content of the .html files, some of them are encrypted:









4 - Decrypting with fcrackzip and unzipping

- Taking the file 00000010.zip to be decrypted:





- The encryption password is found:




- Finally, we are able to unzip the transferred file (composed by a text and an image) using the decrypted password: