Project 20 for CNIT 123: Exploiting SQLi with Havij and Input Filtering (20 pts.)

What You Need

  • A Kali 2 Linux machine with SQLol installed, and Apache and MySQL running, as you did in the previous project.
  • A Windows machine to run Havij

    Warning

    Havij is the tool LulzSec and Anonymous use to earn long prison terms. It's so easy it will make you sick. ONLY SCAN SYSTEMS YOU HAVE PERMISSION TO ATTACK.

    Testing SQLol

    In your Linux machine, from the menu bar, click Applications, Internet, "IceWeasel Web Browser". (Note: Some Linux versions have Firefox instead).

    In IceWeasel, go to

    localhost/sqlol

    SQLol opens, as shown below. If it does not open, restart Apache with service apache2 restart

    Click RESET

    A message appears saying "Done!"

    If you see a "Could not connect..." message, restart mySQL with service mysql restart

    Using the "Find Users" Page

    SQLol is too complex for Havij to exploit in its original state, so I added a simplified "Find Users" page.

    In your Linux machine, in IceWeasel, go to

    localhost/sqlol/search.htm

    A "Find Users" page opens, as shown below:

    In the Name field, type

    C%
    Click the Submit button.

    You should see the username "Chunk MacRunfast", as shown below:

    In IceWeasel, click the Back button to return to the "Find Users" page.

    In the Name field, type

    %
    Click the Submit button.

    You should see all five usernames, as shown below:

    Breaking the "Find Users" Page

    Apparently the designers of this site don't regard usernames as confidential. But the database also contains social security numbers, and those really are confidential.

    The whole point of SQL injection is that a simple form like this can be tricked into revealing more data than the designer intended to reveal.

    In IceWeasel, click the Back button to return to the "Find Users" page.

    In the Name field, type

    O'Neil
    Click the Submit button.

    You should see an error message, as shown below:

    This is the kiss of death--an error like this means that you have lost control of the database, and an attacker can often extract all the data.

    We'll steal the data with Havij, which is absurdly easy to use.

    Getting the IP Address of the Linux Machine

    On your Linux machine, in a Terminal window, enter this command:
    ifconfig
    Record the IP Address of your Linux machine.

    If you are using a virtual machine, it's best to use "Bridged" networking rather than NAT.

    Starting the Windows Machine

    Start your Windows machine. In a Command prompt, PING the IP address of your Linux machine. You should get replies. If you do not, you need to troubleshoot your networking before proceeding further.

    Viewing the "Find Users" Page from the Windows Machine

    On your Windows machine, open a Web browser and go to

    http://192.168.198.175/sqlol/search.htm

    Replace 192.168.198.136 with the correct IP address of your Linux machine.

    A "Find Users" page opens, as shown below:

    In the Name field, type

    x
    Click the Submit button.

    You should see the results page, as shown below:

    No users were found, but that's not a problem. What we really want is the URL of this page, as shown in the address bar:

    http://192.168.198.175/sqlol/search.php?q=x
    You don't need to use the form to perform a search. You can do it by inserting the search parameter directly into the URL.

    On the Windows machine, in the URL bar, add an apostrophe to the end of the URL, so it becomes this:

    http://192.168.198.175/sqlol/search.php?q=x'
    Press the Enter key.

    A SQL error message appears, as shown below:

    This URL is the attack point Havij needs: a URL with a vulnerable parameter.

    Installing Havij

    Havij is a free and powerful SQL Injection attack tool.

    On your Windows machine, in a Web browser, go to:

    http://itsecteam.com/products/havij-advanced-sql-injection/

    Look in the middle of the screen, and in the "Havij Advanced SQL Injection" section, click the "Download" tab.

    Click "Havij v1.15 Free"

    Alternate Download Link

    https://samsclass.info/123/proj14/Havij1.15Free.rar

    After the file downloads, extract it with 7-zip. If you don't have 7-zip, get it here

    Install Havij with the default options.

    If it doesn't launch automatically, click Start, type Havij into the Search box, and run Havij. It does not require Administrator privileges.

    Using Havij to Steal Data

    In the Havij window, paste this URL into the Target field, using the correct IP address of your Linux machine:

    http://192.168.198.175/sqlol/search.php?q=x

    In the Havij window, click the Analyze button.

    The Log at the bottom of the Havij window should show "Current DB: sqlol", as shown below:

    In the upper center of the Havij window, click the Tables button.

    In the lower bar that appears, click the "Get Tables" button.

    The tables "ssn" and "users" appear, as shown below:

    In the left-center pane of the Havij window, check the ssn and users boxes.

    In the center of the Havij window, click the "Get Columns" button.

    The column names appear, as shown below:

    In the left-center pane of the Havij window, in the "ssn" table section, check the name and ssn boxes.

    In the center of the Havij window, click the "Get Data" button.

    The names and SSNs appear, as shown below:

    Saving a Screen Image

    Make sure the names and SSNs are visible.

    Click on the host machine's desktop, outside the virtual machine to make the host machine's desktop active.

    Press the PrintScrn key to copy the whole desktop to the clipboard.

    Paste the image into Paint and save it with the filename "Your Name Proj20a".

    Fixing the Vulnerability with Input Validation

    On your Kali Linux machine, in a Terminal window, execute these commands:
    cd /var/www/html/sqlol

    cp search.php old-search.php

    nano search.php

    Find the existing code marked with a comment saying "PATCH VULNERABLE CODE HERE", as shown below:

    Add this line under the comment:

    $q = mysql_real_escape_string($q);
    Your code should now look like the image shown below:

    Save the page with Ctrl+X, Y, Enter.

    This line adds backslash characters before quotation marks, which will prevent simple SQL syntax errors. This is not the strongest defense possible against SQL injection, but it's a lot better than nothing.

    Testing the Fixed Page

    In your Linux machine, in IceWeasel, go to

    localhost/sqlol/search.htm

    A "Find Users" page opens, as shown below:

    In the Name field, type

    O'Neil
    Click the Submit button.

    Now, instead of an error, you see a chart showing that no results were found, as shown below:

    You can see how the fix works: the URL shows the original search string of O'Neil but the top of the results Web page shows the escaped version O\'Neil

    Saving a Screen Image

    Make sure the search for "O'Neil" is visible, showing an empty table with no SQL error message.

    Click on the host machine's desktop, outside the virtual machine to make the host machine's desktop active.

    Press the PrintScrn key to copy the whole desktop to the clipboard.

    Paste the image into Paint and save it with the filename "Your Name Proj20b".

    Using Havij Again

    In the Havij window, if necessary, paste this URL into the Target field, using the correct IP address of your Linux machine:

    http://192.168.198.175/sqlol/search.php?q=x

    In the Havij window, click the Analyze button.

    The Log at the bottom of the Havij window shows red error messages, as shown below, because the site is no longer vulnerable.

    Turning in Your Project

    Email the images to cnit.123@gmail.com. Use a subject line of "Proj 20 From Your Name", replacing "Your Name" with your own first and last name. Send a Cc to yourself.

    Source

    https://github.com/SpiderLabs/SQLol

    rev. to fix last figure 5-27-16