DVWA Walkthrough

DVWA Walkthrough Part 6: SQL Injection

68747470733a2f2f7777772e72616e646f6d73746f726d2e636f6d2f696d616765732f746f6f6c732f647677612e706e67

For the sixth installment of our Damn Vulnerable Web App walkthrough we will use a SQL injection vulnerability to obtain all of the usernames and passwords within the application. This is another very simple to exploit and really doesn’t require the aid of Burp Suite at all. In a more complex application we may want to use tools like Burp Suite or SQLMap to automate the enumeration of the columns and tables within the database.

To start click on the SQL Injection link on the left hand menu and we are presented with an input field and a submit button.

SQL injection vulnerabilities are typically caused by a lack of input validation and the use of concatenated queries (appending the SQL query string with input provided by the end user). When looking for strings to use to test for SQL injection a good place to start is a SQL injection cheat sheet.

Screen Shot 2014-11-22 at 10.13.36 AM

We start with

' OR 1 = 1 -- 

which essentially is SQL speak for select everything in the table, and as we can see below it works.
Screen Shot 2014-11-22 at 10.17.07 AM

Screen Shot 2014-11-22 at 10.17.14 AM

This is the query the developer intended:

"SELECT first_name, last_name FROM users WHERE user_id = '$id'"

However, because the developer did not sanitize the input characters the query that is actually executed looks like this:

"SELECT first_name, last_name FROM users WHERE user_id = '' OR 1 = 1 -- '"

But the goal of this challenge is not to get a list of all the users but to get the usernames and passwords so we are not done just yet. To do this we will leverage the SQL UNION statement to obtain the user and password columns from the users table.

' UNION SELECT user, password from users -- 

Screen Shot 2014-11-22 at 10.41.37 AM

And there we are a list of usernames and MD5 password hashes from the database. The last step which I will leave to the reader is to crack the MD5 hashes to obtain the plain text.
Hint: http://www.md5crack.com

DVWA Walkthrough Part 3: Command Injection

68747470733a2f2f7777772e72616e646f6d73746f726d2e636f6d2f696d616765732f746f6f6c732f647677612e706e67

For the third installment of our Damn Vulnerable Web App walkthrough we will tackle command injection via the web. This is very simple to exploit and really doesn’t require the aid of Burp Suite at all.

The intended use of this app is for the user to enter an IP address and the server will run the ping command against the provided IP.

Screen Shot 2014-11-09 at 4.00.22 PM

We can assume that the web server is running the following command:

ping 8.8.8.8

With a little bit of Linux knowledge, we know that we should be able to terminate the ping command and execute another command with a semicolon (semicolon is the command separator character). We try sending ; id, and what do you know, we received the output of the id command and we can see that the web server is running as the nobody account.

Screen Shot 2014-11-09 at 4.09.17 PM

 

We can run arbitrary commands on the server however our privileges are limited as we are running as the nobody account.

Screen Shot 2014-11-09 at 4.37.13 PMSome other things you can do with command injection:

  • Read content from non-web accessible directories
  • List directory contents
  • Execute commands
  • Upload files and make remote connections to other systems

 

DVWA Walkthrough Part 2: Brute Force

68747470733a2f2f7777772e72616e646f6d73746f726d2e636f6d2f696d616765732f746f6f6c732f647677612e706e67

The objective of Part 2 of this walkthrough is to brute force the logon mechanism of the Damn Vulnerable Web App (DVWA) in order to obtain a valid username and password of the administrator account. To accomplish this we will use Burp Suite. Before you start make sure you have completed the setup steps in: Burp Suite Tutorial – Part 1: Setup.

In your web browser navigate to http://<IP address>/vulnerabilities/brute/

Next, make sure that “Intercept is on” is enabled and submit the form. Burp will intercept the traffic and display the HTTP request made to the server by your browser. From the Action drop down select “Send to Intruder”.

Screen Shot 2014-11-02 at 8.49.54 PM

 

Navigate to the Intruder tab. The intruder module is useful for fuzzing specific parameters within a request. The § symbol indicates where Burp will insert it’s payloads into each request.

In this case we want to brute force the username and password arguments. We do not want to brute force the login, PHPSESSID, or security arguments so highlight those and select ‘Clear §’ to remove the placeholders.

Screen Shot 2014-11-02 at 8.50.56 PM

Switch the “Attack type” drop down to Cluster Bomb. This mode will use separate lists to fuzz the username and password arguments and will try all combinations.

Next , select the Payloads tab. For this payload we want to pass in a list of user names. We will use a simple list of usernames in this example.

Screen Shot 2014-11-02 at 8.52.50 PM

Next, select payload 2 from the Payload set drop down. This time we will provide a simple list of passwords to guess.

Screen Shot 2014-11-02 at 8.53.37 PM

Select Intruder > Start attack
Screen Shot 2014-11-02 at 8.53.52 PM

Finally, we can see each request that has been sent to the server, and the combinations of usernames and passwords that we provided.

We can see that the length of the server response in request #1 has changed significantly from the baseline request and other requests. This is interesting and should be investigated. Request #1 has the correct username and password combination. We can validate that we have successfully gained access to the admin account by clicking “Response” > “Render”. Where we are greated with the text “Welcome to the password protected area admin”.

Whenever you are fuzzing with Burp check the Length of the responses as it may be an indication of a weakness.

Screen Shot 2014-11-02 at 8.55.13 PM
Thats it for part 2! You can now see how easy it is to quickly automate HTTP/HTTPS fuzzing using Burp Suite. 

DVWA Walkthrough Part 1: Setup

68747470733a2f2f7777772e72616e646f6d73746f726d2e636f6d2f696d616765732f746f6f6c732f647677612e706e67

Damn Vulnerable Web App (DVWA) is an intentionally vulnerable PHP/MySQL web application for penetration testers to use to learn and practice exploiting many types of common web vulnerabilities.

GETTING DVWA

DVWA code is available from http://www.dvwa.co.uk however, there is a preloaded Linux server available from vulnhub.com. The quickest way to get started is to download the .iso file and boot the distro in VMWare or VirtualBox.

SETTING UP DVWA 

Once the .iso is booted you will be presented with a shell. To find out what IP address has been assigned to the machine via DHCP run the ifconfig command.

dvwa@dvwa:~$ ifconfig eth0

eth0      Link encap:Ethernet  HWaddr 00:0c:29:0c:8b:03  
          inet addr:192.168.218.136  Bcast:192.168.218.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe0c:8b03/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:24577 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14180 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:29040387 (27.6 MiB)  TX bytes:1359164 (1.2 MiB)



Now that we know the IP address browse the web interface:

http://<ip address>/setup.php

Click ‘Create / Reset Database

image

Next, Click ‘DVWA Security‘ and logon with the default credentials:

username: admin
password: password

Set the security level to low. This is the easiest setting and probably a good place to start if you are a beginner.

image

INSTALLING BURP SUITE

For the rest of this walkthrough we will use Burp Suite to assist in finding and exploiting vulnerabilities. Burp Suite comes in free and paid versions. the fee version is fine for our purposes.

http://portswigger.net/burp/download.html

Once Burp is installed we want to configure our browser proxy settings to point to Burp. By Default Burp is configured to listen on 127.0.0.1:8080.

In Firefox the proxy settings can be found at: Settings > Advanced > Network > Settings.

image

Open your browser and browse to the DVWA IP address. If Burp is configured properly you should see the HTTP request within the Proxy > Intercept tab.

image