Pages

Tuesday, November 8, 2011

[Learning] SQL injection - ruxcon training website



Links:
watch the HD video online: http://vimeo.com/f4l13n5now/sqli-ruxcon

Description:

This is Ruxcon WEB Pen Testing Training website (used to practise SQL injection) provided by Louis.

Attacker:
Backtrack 5 R2
IP: 192.168.1.60

Victim:
Photoblog (training website)
IP: 192.168.1.56

vulnerability & exploit:
MySQL based SQL injection

Attacking process:
1, discover the vulnerable services:
use NMAP to probe the opening ports and detect services
nmap -sS -sV -O 192.168.1.56 -v

found the following services:
[1] MySQL database service running on port 3306
[2] HTTP web service running on port 80

2, browes the website and detect the injection point
[1] the potential vulerable URL: http://192.168.1.56/cat.php?id=1

3, test the potential injection point if it has vulerability
[1] numberic based SQL injection test:
try apply the following two URL and check the different response.
URL one "http://192.168.1.56/cat.php?id=1 and 1=2" (response nothing)
vs.
URL two "http://192.168.1.56/cat.php?id=1 and 1=1" (response the normal page)

the test above shows that here is vunerable SQL injection point.

4, exploit the injection point and finally got admin.

Reference:
[1] https://www.owasp.org/index.php/Unrestricted_File_Upload
[2] http://dev.mysql.com/doc/refman/5.0/en/tables-table.html
[3] http://hungred.com/useful-information/secure-file-upload-check-list-php/
[4] http://soroush.secproject.com/blog/2010/03/improve-file-uploaders%e2%80%99-protections-rev-1-0/