Exploiting SQLi with Havij and Input Filtering (NETLAB)
Warning
Havij is the tool LulzSec and Anonymous used to earn long prison
terms. It's so easy it will make you sick. ONLY SCAN SYSTEMS YOU HAVE PERMISSION TO ATTACK.
Use your Kali32 Machine
Open the Kali32 virtual machine. Log in as root
with the password toor
Configuring and Starting MySQL
You may already have done this, but if
your NETLAB session ended, you'll need to do it
again.
In a Terminal window, enter this command:
dpkg-reconfigure mysql-server-5.5
A box asks you for the "New password".
Type in a password of
password
and press Enter
In the next box,
type in a password of
password
and press Enter
This is obviously an insecure password,
but use it anyway for this project, to match
the password SQLol expects.
In a Terminal window, enter these commands:
service mysql start
netstat -pant
MySQL starts, and you should see it listening
on port 3306, as shown below:
Restarting Apache
In a Terminal window, enter this command:
service apache2 restart
Downloading and Installing SQLol
The original SQlol software was developed by
spiderlabs. I modified it slightly and put a
copy on my Web server--that's the version
that makes this project easiest.
In your Linux machine,
in a Terminal window, enter these commands:
cd /var/www/html
curl https://samsclass.info/124/proj14/sqlol-sbowne.tgz >sqlol-sbowne.tgz
tar xzf sqlol-sbowne.tgz
In your Linux machine, from the menu bar,
click Applications,
Internet, "IceWeasel Web Browser".
(Note: Some Linux versions have Firefox instead).
In IceWeasel, go to
localhost/sqlol
SQLol opens, as shown below:
Click RESET
A message appears saying "Done!"
If you see the "Could not connect..." message shown below,
restart mySQL with this command:
service mysql restart
|
Testing SQLol
In your Linux machine, from the menu bar,
click Applications,
Internet, "IceWeasel Web Browser".
(Note: Some Linux versions have Firefox instead).
In IceWeasel, go to
localhost/sqlol
SQLol opens, as shown below. If it does not open,
restart Apache with service apache2 restart
Click RESET
A message appears saying "Done!"
If you see
a "Could not connect..." message,
restart mySQL with service mysql start
Using the "Find Users" Page
SQLol is too complex for Havij to exploit in its original
state, so I added a simplified "Find Users" page.
In your Linux machine,
in IceWeasel, go to
localhost/sqlol/search.htm
A "Find Users" page opens, as shown below:
In the Name field, type
C%
Click the Submit button.
You should see the username "Chunk MacRunfast", as shown below:
In IceWeasel, click the Back button to return to the
"Find Users" page.
In the Name field, type
%
Click the Submit button.
You should see all five usernames, as shown below:
Breaking the "Find Users" Page
Apparently the designers of this site don't
regard usernames as confidential.
But the database also contains social
security numbers, and those really are
confidential.
The whole point of SQL injection
is that a simple form like this can
be tricked into revealing more
data than the designer intended to
reveal.
In IceWeasel, click the Back button to return to the
"Find Users" page.
In the Name field, type
O'Neil
Click the Submit button.
You should see an error message, as shown below:
This is the kiss of death--an error like this
means that you have lost control of the
database, and an attacker can often extract
all the data.
We'll steal the data with Havij, which is
absurdly easy to use.
Starting Havij
Havij is a free and powerful SQL Injection attack tool.
It's written for Windows, but it also runs on
32-bit Linux in Wine.
In a Terminal window, execute this command:
wine ~/.wine/drive_c/Program\ Files/Havij/Havij.exe
Using Havij to Steal Data
Note: you must type the URL into Havij,
not paste it, or wine will crash!
In the Havij window, type this URL into the Target field:
http://localhost/sqlol/search.php?q=x
In the Havij window, click the Analyze button.
The Log at the bottom of the Havij window should show
happy blue and green text, indicating that it
found a vulnerability, ending with
"Current DB: sqlol",
as shown below:
In the upper center of the Havij window, click the
Tables button.
In the lower bar that appears, click the
"Get Tables" button.
The tables "ssn" and "users" appear,
as shown below:
In the left-center pane of the Havij window, check
the ssn and users boxes.
In the center of the Havij window,
click the
"Get Columns" button.
The column names appear,
as shown below:
In the left-center pane of the Havij window,
in the "ssn" table section, check
the name and ssn boxes.
In the center of the Havij window,
click the
"Get Data" button.
The names and SSNs appear,
as shown below:
Fixing the Vulnerability with Input Validation
On your Kali Linux machine,
in a Terminal window,
execute these commands:
cd /var/www/html/sqlol
cp search.php old-search.php
nano search.php
Scroll down a few screens to
find the existing code marked with a comment
saying "PATCH VULNERABLE CODE HERE",
as shown below:
Add this line under the comment:
$q = mysql_real_escape_string($q);
Your code should now look like the image
shown below:
Save the page with Ctrl+X, Y, Enter.
This line adds backslash characters before
quotation marks, which will prevent simple SQL
syntax errors. This is not the strongest defense
possible against SQL injection, but it's a
lot better than nothing.
Testing the Fixed Page
In your Linux machine,
in IceWeasel, go to
localhost/sqlol/search.htm
A "Find Users" page opens, as shown below:
In the Name field, type
O'Neil
Click the Submit button.
Now, instead of an error, you see
a chart showing that no results
were found, as shown below:
You can see how the fix works: the URL shows
the original search string of O'Neil
but the top of the results Web page shows
the escaped version O\'Neil
Using Havij Again
In the Havij window, if necessary,
make sure the URL into the Target field
is still:
http://localhost/sqlol/search.php?q=x
In the Havij window, click the Analyze button.
The Log at the bottom of the Havij window
shows red error messages,
as shown below, because the site is no longer
vulnerable.
Source
https://github.com/SpiderLabs/SQLol
Revised for NETLAB 6-15-16
Revised with crash warning 6-28-16