In a previous post I designed a simple web page that would accept a username and password. I chose to test this same page for sql injections with a tool called sqlmap.
First taking the server response from a previous post I noticed the data was posted as "username=test&password=test". Then I took this information and created the sqlmap command I was going to run.
python sqlmap.py --data="username=test&password=test" --url="http://test.local" -t http.log
It was after some research that I found the "-t" option. This outputs to a file the server and client responses in plain text or the encoding used.
The http.log was a lot easier to use then wireshark that I initially was using. I wanted to understand more of how sqlmap could gather the database name, table name and then the contents of this.
I grepped the http.log file for the keyword username= and found after url-decoding the SQL statements being sent back and forth. Then I analyzed the Set-cookie for the data that was being leaked.
Observations to note:
1. Verify when you create variable that passes data that the size of the variable is checked. If the size of the username or password was truncated it would have not allowed sqlmap to gather the data that it needed.
2. Sanitize the data as it is passed to a POST or GET type variable
3. Hackers will hide from the http logs what they are trying to accomplish because the data is not being recorded in the URL
4. If the username and password were incorrect the sqlmap tool would not work properly.
5. Be careful disclosing the errors that may occur in a sql query or web page errors. This could give hackers a clue as to how your application is designed.
Twitter: @lokut
This blog is for educational purposes only. The opinions expressed in this blog are my own and do not reflect the views of my employers.
Subscribe to:
Post Comments (Atom)
Test Authentication from Linux Console using python3 pexpect
Working with the IT420 lab, you will discover that we need to discover a vulnerable user account. The following python3 script uses the pex...
-
Here is a quick walk through of GetBoo. The first item that I found was you can harvest the usernames of the existing users that are regist...
-
As I was glancing through the logs of my honeypots I spent some time to look at the following logs. In the past I have just overlooked them...
-
I thought I would work through a few of these web applications provided by OWASP on their broken web applications VM. The first one I th...
-
Today looking at the logs of the honeypots, I became curious based on the whois of the IP Addresses attempting to login to SSH which country...
-
Recently I was doing some scanning with a tool that is available on github called masscan. The tool allows you to configure a configuration...
No comments:
Post a Comment