Learning Web Pentesting With DVWA Part 2: SQL Injection

In the last article Learning Web Pentesting With DVWA Part 1: Installation, you were given a glimpse of SQL injection when we installed the DVWA app. In this article we will explain what we did at the end of that article and much more.

Lets start by defining what SQL injection is, OWASP defines it as: "A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands."

Which basically means that we can use a simple (vulnerable) input field in our web application to get information from the database of the server which hosts the web application. We can command and control (at certain times) the database of the web application or even the server.

In this article we are going to perform SQL injection attack on DVWA, so let's jump in. On the DVWA welcome page click on SQL Injection navigation link. We are presented with a page with an input field for User ID.

Now lets try to input a value like 1 in the input field. We can see a response from server telling us the firstname and surname of the user associated with User ID 1.

If we try to enter a user id which doesn't exist, we get no data back from the server. To determine whether an input field is vulnerable to SQL injection, we first start by sending a single quote (') as input. Which returns an SQL error.

We saw this in the previous article and we also talked about injection point in it. Before diving deeper into how this vulnerability can be exploited lets try to understand how this error might have occurred. Lets try to build the SQL query that the server might be trying to execute. Say the query looks something like this:

SELECT first_name, sur_name FROM users WHERE user_id = '1';

The 1 in this query is the value supplied by the user in the User ID input field. When we input a single quote in the User ID input field, the query looks like this:

SELECT first_name, sur_name FROM users WHERE user_id = ''';

The quotes around the input provided in the User ID input field are from the server side application code. The error is due to the extra single quote present in the query. Now if we specify a comment after the single quote like this:
'-- -
or
'#
we should get no error. Now our crafted query looks like this:

SELECT first_name, sur_name FROM users WHERE user_id = ''-- -';

or

SELECT first_name, sur_name FROM users WHERE user_id = ''#';

since everything after the # or -- - are commented out, the query will ignore the extra single quote added by the server side app and whatever comes after it and will not generate any error. However the query returns nothing because we specified nothing ('') as the user_id.

After knowing how things might be working on the server side, we will start to attack the application.
First of all we will try to determine the number of columns that the query outputs because if we try a query which will output the number of columns greater or smaller than what the original query outputs then our query is going to get an error. So we will first figure out the exact number of columns that the query outputs and we will do that with the help of order by sql statement like this:

' order by 1-- -

This MySQL server might execute the query as:

SELECT first_name, sur_name FROM users WHERE user_id = '' order by 1-- -';

you get the idea now.
if we don't get any error message, we will increase the number to 2 like this:

' order by 2-- -

still no error message, lets add another:

' order by 3-- -

and there we go we have an error message. Which tells us the number of columns that the server query selects is 2 because it erred out at 3.

Now lets use the union select SQL statement to get information about the database itself.

' union select null, version()-- -

You should first understand what a union select statement does and only then can you understand what we are doing here. You can read about it here.
We have used null as one column since we need to match the number of columns from the server query which is two. null will act as a dummy column here which will give no output and the second column which in our case here is the version() command will output the database version. Notice the output from the application, nothing is shown for First name since we specified null for it and the maria db version will be displayed in Surname.
Now lets check who the database user is using the user() function of mariadb:

' union select null, user()-- -

After clicking the submit button you should be able to see the user of the database in surname.

Now lets get some information about the databases in the database.
Lets determine the names of databases from INFORMATION_SCHEMA.SCHEMATA by entering following input in the User ID field:

' union select null, SCHEMA_NAME from INFORMATION_SCHEMA.SCHEMATA-- -

This lists two databases dvwa and information_schema. information_schema is the built in database. Lets look at the dvwa database.
Get table names for dvwa database from INFORMATION_SCHEMA.TABLES

' union select null, TABLE_NAME from INFORMATION_SCHEMA.TABLES-- -

It gives a huge number of tables that are present in dvwa database. But what we are really interested in is the users table as it is most likely to contain user passwords. But first we need to determine columns of that table and we will do that by querying INFORMATION_SCHEMA.COLUMNS like this:

' union select null, COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = 'users'-- -

We can see the password column in the output now lets get those passwords:

' union select user, password from users-- -

Of-course those are the hashes and not plain text passwords. You need to crack them.
Hope you learned something about SQL injection in this article. See you next time.

References:

1. SQL Injection: https://owasp.org/www-community/attacks/SQL_Injection
2. MySQL UNION: https://www.mysqltutorial.org/sql-union-mysql.aspx
3. Chapter 25 INFORMATION_SCHEMA Tables: https://dev.mysql.com/doc/refman/8.0/en/information-schema.html

More information

• Pentest Tools Free
• Pentest Tools Github
• Hack Tools For Ubuntu
• Nsa Hack Tools
• Easy Hack Tools
• Hack Tools Mac
• What Is Hacking Tools
• How To Make Hacking Tools
• Hack Rom Tools
• Pentest Tools Bluekeep
• Hack Tool Apk
• Bluetooth Hacking Tools Kali
• Best Hacking Tools 2020
• Hacking Tools
• Usb Pentest Tools
• Hacker Tools For Mac
• Hacking Tools For Mac
• Pentest Tools Url Fuzzer
• Termux Hacking Tools 2019
• Hacking Tools 2020
• Blackhat Hacker Tools
• Hacking Tools Hardware
• Pentest Tools Open Source
• Pentest Tools Review
• Hacker Tools Linux
• Hacker Tools Apk Download
• Hacking Tools 2020
• Hacking Tools 2019
• Best Hacking Tools 2020
• Hacking Tools Download
• Hack Tools Mac
• What Are Hacking Tools
• Hacker Security Tools
• Pentest Tools Free
• Game Hacking
• Hack Tools For Ubuntu
• Hacker Tools Apk
• How To Hack
• Hacker Techniques Tools And Incident Handling
• Beginner Hacker Tools
• Hack Website Online Tool
• Bluetooth Hacking Tools Kali
• Hacks And Tools
• Hacking Tools
• Hacker Tools Apk Download
• Underground Hacker Sites
• Kik Hack Tools
• Pentest Tools Github
• Physical Pentest Tools
• Hacking Apps
• Blackhat Hacker Tools
• How To Install Pentest Tools In Ubuntu
• Hacking Apps
• Hacking Tools Windows 10
• Pentest Tools Url Fuzzer
• Hacking Tools Kit
• Pentest Tools Apk
• Pentest Tools Website Vulnerability
• Hacker Tools Online
• Beginner Hacker Tools
• Hacking Tools Hardware
• Hack Tools
• Pentest Tools Nmap
• Bluetooth Hacking Tools Kali
• Hack App
• Hacker Tools For Mac
• Hacker Tools 2020
• Hack App
• Hacker Tools Free
• Hacks And Tools
• How To Make Hacking Tools
• Hacker Tools Online
• New Hacker Tools
• Nsa Hack Tools Download
• Kik Hack Tools
• Hacking Tools Free Download
• Hacking Tools Name
• Nsa Hack Tools Download
• Hack Tools
• New Hacker Tools
• Pentest Tools Alternative
• How To Hack
• Hacking Tools Hardware
• Pentest Tools
• Hacking Tools Github
• Pentest Tools Alternative
• Hacker Tools 2019
• What Are Hacking Tools
• Pentest Tools Alternative
• Best Hacking Tools 2019
• Pentest Tools List
• Ethical Hacker Tools
• Hack Tools Download
• Hacking Tools For Mac
• Computer Hacker
• Hack Tools
• Hack Tool Apk
• Hacking Tools Mac
• Hacking Tools Windows
• Hacking Tools 2020
• Pentest Tools Alternative
• New Hacker Tools
• New Hacker Tools
• Pentest Tools
• Nsa Hacker Tools
• Install Pentest Tools Ubuntu
• Hacker Tools Linux
• Pentest Tools
• Pentest Box Tools Download
• Hack Tool Apk
• Hacker Tools For Pc
• Pentest Tools
• Hack Rom Tools
• Pentest Tools Windows
• Nsa Hack Tools Download
• Hacker Techniques Tools And Incident Handling
• Hacking Tools Kit
• Hacking Tools For Windows Free Download
• Hacking Tools For Beginners
• Hacking Tools Free Download
• Termux Hacking Tools 2019
• Hack Tools
• Hacking Tools For Windows Free Download
• Hacker Tools List
• Hack Tool Apk
• Pentest Tools Apk
• New Hacker Tools
• Pentest Tools Online
• Hack Tools
• Usb Pentest Tools
• Pentest Tools Tcp Port Scanner
• Hacker Tools Free
• Hacker Tools For Mac
• How To Install Pentest Tools In Ubuntu
• Hack Tools Pc
• Hack And Tools
• Hack Tools
• New Hack Tools
• Hack Tools For Windows

New Printers Vulnerable To Old Languages

When we published our research on network printer security at the beginning of the year, one major point of criticism was that the tested printers models had been quite old. This is a legitimate argument. Most of the evaluated devices had been in use at our university for years and one may raise the question if new printers share the same weaknesses.

35 year old bugs features

The key point here is that we exploited PostScript and PJL interpreters. Both printer languages are ancient, de-facto standards and still supported by almost any laser printer out there. And as it seems, they are not going to disappear anytime soon. Recently, we got the chance to test a $2,799 HP PageWide Color Flow MFP 586 brand-new high-end printer. Like its various predecessors, the device was vulnerable to the following attacks:

• Capture print jobs of other users if they used PostScript as a printer driver; This is done by first infecting the device with PostScript code
• Manipulate printouts of other users (overlay graphics, introduce misspellings, etc.) by infecting the device with PostScript malware
• List, read from and write to files on the printers file system with PostScript as well as PJL functions; limited to certain directories
• Recover passwords for PostScript and PJL credentials; This is not an attack per se but the implementation makes brute-force rather easy
• Launch denial of Service attacks of various kinds:
  • PostScript based infinite loops
  • PostScript showpage redefinition
  • Disable jobmedia with proprietary PJL
  • Set the device to offline mode with PJL

Now exploitable from the web

All attacks can be carried out by anyone who can print, which includes:

• Web attacker:
  • A malicious website that uses XSP
• Network access:
  • Via Jetdirect (port 9100/tcp)
  • Via LPD (port 515/tcp)
  • Via IPP (port 631/tcp)
• Wireless access:
  • Apple Air Print (enabled by default)
• Cloud access:
  • Google Cloud Print (disabled by default)
• Physical access:
  • Printing via USB cable or USB drive
  • Potentially NFC printing (haven't tested)

Note that the product was tested in the default configuration. To be fair, one has to say that the HP PageWide Color Flow MFP 586 allows strong, Kerberos based user authentication. The permission to print, and therefore to attack the device, can be be limited to certain employees, if configured correctly. The attacks can be easily reproduced using our PRET software. We informed HP's Software Security Response Team (SSRT) in February.

Conclusion: Christian Slater is right

PostScript and PJL based security weaknesses have been present in laser printers for decades. Both languages make no clear distinction between page description and printer control functionality. Using the very same channel for data (to be printed) and code (to control the device) makes printers insecure by design. Manufacturers however are hard to blame. When the languages were invented, printers used to be connected to a computer's parallel or serial port. No one probably thought about taking over a printer from the web (actually the WWW did not even exist, when PostScript was invented back in 1982). So, what to do? Cutting support for established and reliable languages like PostScript from one day to the next would break compatibility with existing printer drivers. As long as we have legacy languages, we need workarounds to mitigate the risks. Otherwise, "The Wolf" like scenarios can get very real in your office…

Continue reading

1. Hacker Tools For Pc
2. Nsa Hack Tools
3. Pentest Tools For Windows
4. Hackrf Tools
5. What Are Hacking Tools
6. Hacker Tools Mac
7. Pentest Tools Framework
8. Pentest Tools For Windows
9. Tools 4 Hack
10. Pentest Tools Apk
11. Game Hacking
12. How To Make Hacking Tools
13. Hack Tools Pc
14. Hackrf Tools
15. Hacker Tools
16. Hacker Tools For Pc
17. How To Install Pentest Tools In Ubuntu
18. Usb Pentest Tools
19. Android Hack Tools Github
20. Hacking Tools And Software
21. Hack Tools
22. Hak5 Tools
23. Pentest Box Tools Download
24. Usb Pentest Tools
25. Pentest Tools Nmap
26. Hacking Tools For Beginners
27. New Hacker Tools
28. Hacker Tools Linux
29. Hacker Tools 2020
30. Top Pentest Tools
31. Hacking Tools And Software
32. Hack Tools For Windows
33. Hack App
34. Pentest Automation Tools
35. Best Hacking Tools 2019
36. Growth Hacker Tools
37. Hacker Tools Online
38. Pentest Tools For Windows
39. Hack App
40. Hack Tools Download
41. Android Hack Tools Github
42. Hacking Tools Kit
43. Hack Tools For Games
44. Pentest Tools List
45. Hack Tools Download
46. How To Hack
47. Pentest Automation Tools
48. Pentest Tools For Windows
49. Pentest Tools Download
50. Pentest Tools Nmap
51. Android Hack Tools Github
52. Hack Tool Apk
53. What Are Hacking Tools
54. Hacking App
55. Pentest Tools Port Scanner
56. Hacks And Tools
57. Hacking Tools Software
58. Tools Used For Hacking
59. Hack Tools For Windows
60. Hacking Tools For Games
61. Hacker
62. Hacker
63. Hacking Tools For Windows
64. Pentest Tools List
65. Pentest Tools Free
66. Hacker Tools 2020
67. Hacker Tools For Ios
68. Hacking Tools Online
69. Pentest Tools
70. Hacker Tool Kit
71. Hak5 Tools
72. Hack Tools Pc
73. Github Hacking Tools
74. Pentest Automation Tools
75. Hacking Tools For Windows
76. Pentest Tools Windows
77. Termux Hacking Tools 2019
78. Github Hacking Tools
79. Hacker Tools 2019
80. Hacker Hardware Tools
81. Hack Tools Github
82. Hacker Tools Free
83. Nsa Hack Tools
84. Pentest Tools
85. Hackers Toolbox
86. Hack Apps
87. Hacker Tools Linux
88. How To Hack
89. Hacker Tools For Mac
90. Hacking Tools Usb
91. Hacking Tools Pc
92. Termux Hacking Tools 2019
93. Hacker Tools Free Download
94. Pentest Tools For Windows
95. Pentest Tools Bluekeep
96. Pentest Box Tools Download
97. Hacking Tools For Windows
98. Pentest Tools Website
99. Pentest Tools Find Subdomains
100. Hackers Toolbox
101. Pentest Tools Download
102. Pentest Reporting Tools
103. Kik Hack Tools
104. Bluetooth Hacking Tools Kali
105. Hacking Tools Hardware
106. Hack Tools For Ubuntu
107. Hacking Tools Windows
108. Hacking Tools Download
109. Hack Tools 2019
110. Hacking Tools Pc
111. Hacker Tools Mac
112. Github Hacking Tools
113. Nsa Hack Tools Download
114. Pentest Tools Website
115. Hacker Tools Hardware
116. Pentest Tools Bluekeep
117. Pentest Tools Free
118. Game Hacking
119. Hacker Tools Linux
120. Nsa Hack Tools Download
121. Hacking Tools
122. Hacker Tools Free Download
123. Hacking Tools For Windows 7
124. Hacker Tools List
125. Github Hacking Tools
126. Computer Hacker
127. Beginner Hacker Tools
128. Hacking Tools Pc
129. Pentest Tools For Android
130. Pentest Tools Apk
131. Pentest Reporting Tools
132. Pentest Automation Tools
133. Hacking Tools For Mac
134. Pentest Recon Tools
135. Hack Tool Apk
136. Pentest Box Tools Download
137. Black Hat Hacker Tools
138. Game Hacking
139. Hacker Tools For Windows
140. Pentest Tools Review
141. Hack App
142. Best Hacking Tools 2019
143. Nsa Hack Tools Download
144. Hacking Tools 2020
145. Hack Tools
146. Pentest Tools Free
147. Kik Hack Tools
148. Pentest Tools Download
149. Pentest Tools For Windows
150. Physical Pentest Tools
151. Hack Tools For Windows
152. Hack Tools
153. Hacking Tools Mac
154. Pentest Tools Apk
155. Hacker Tools List
156. Hacker Tools For Windows
157. Pentest Automation Tools
158. Pentest Tools For Android
159. Hacker Tools For Windows
160. Nsa Hack Tools
161. Hacker Tool Kit
162. Hacker Tools Linux
163. Pentest Tools Kali Linux
164. Hack Tools For Pc
165. Hack Tools
166. Pentest Tools Windows
167. Ethical Hacker Tools

Thank You To Volunteers And Board Members That Worked BlackHat Booth 2019

The OWASP Foundation would like to thank the OWASP Las Vegas Chapter Volunteers for taking the time out of their busy schedule to give back and volunteer to work the booth at BlackHat 2019.  It was great meeting our Las Vegas OWASP members and working with Jorge, Carmi, Dave, and Nancy.  
Also, take a moment to thank Global Board Members Martin Knobloch, Owen Pendlebury, and Gary Robinson for also working the booth and speaking with individuals and groups to answer questions on projects and suggestions on the use of our tools to address their work problems.
OWASP can not exist without support from our members.  

Related links

1. Pentest Tools Nmap
2. Hacking Tools For Pc
3. Hacker Tools For Pc
4. Hacking Tools Usb
5. Pentest Tools Free
6. Pentest Automation Tools
7. Pentest Tools For Android
8. Pentest Tools Url Fuzzer
9. Pentest Tools Subdomain
10. Hacking Tools For Windows 7
11. Hacker Tools Github
12. Hack Tools
13. Hack Tools
14. Hacking Tools For Games
15. Pentest Tools Tcp Port Scanner
16. Pentest Tools Bluekeep
17. Hacker Tool Kit
18. Pentest Tools Nmap
19. Pentest Recon Tools
20. Hack Rom Tools
21. Pentest Tools
22. Hacking Tools Online
23. Pentest Tools Tcp Port Scanner
24. Hacking Tools For Windows Free Download
25. Hacking Tools For Mac
26. Hacking Tools For Windows 7
27. Top Pentest Tools
28. How To Hack
29. Pentest Tools Bluekeep
30. Hack Tools For Mac
31. Hacker Tools Online
32. Pentest Tools
33. Hacker
34. Pentest Tools Open Source
35. Bluetooth Hacking Tools Kali
36. How To Hack
37. Hacks And Tools
38. Pentest Tools Nmap
39. Pentest Tools Tcp Port Scanner
40. Hacker Tools 2020
41. Hacking Tools
42. Hacking Tools Github
43. Hacking Tools For Mac
44. Hack Tools
45. Computer Hacker
46. Blackhat Hacker Tools
47. Hack App
48. Pentest Tools Free
49. Top Pentest Tools
50. Hacker Tools Hardware
51. New Hacker Tools
52. Hacker Tool Kit
53. Hacking Tools For Games
54. Hackrf Tools
55. Hacking Tools
56. Hacking Tools For Kali Linux
57. Hacking Tools And Software
58. Hak5 Tools
59. Pentest Tools Free
60. Hacker Security Tools
61. Top Pentest Tools
62. Kik Hack Tools
63. Hacker Tools For Pc
64. Pentest Tools Github
65. Hacker Tools Windows
66. Termux Hacking Tools 2019
67. Kik Hack Tools
68. Free Pentest Tools For Windows
69. Hack Tools Github
70. Hacker Tools Online
71. Pentest Tools
72. Pentest Tools Framework
73. New Hacker Tools
74. Hacker Tools Free Download
75. Best Hacking Tools 2020
76. Hack Tools Online
77. Hack Tools
78. Pentest Tools Windows
79. Hacking Tools 2020
80. Hacking Tools For Mac
81. Hack Rom Tools
82. Pentest Tools Url Fuzzer
83. Hacker
84. Hacker Tools Mac
85. Hack App
86. Usb Pentest Tools
87. Hak5 Tools
88. Hacking Tools Free Download
89. Computer Hacker
90. Hacking Tools For Beginners
91. Pentest Tools Online
92. Pentest Tools Review
93. Pentest Tools Android
94. Hacking Tools Windows 10
95. Hacking Tools Github
96. Hacker Tools Online
97. Pentest Tools Linux
98. Top Pentest Tools
99. Best Pentesting Tools 2018
100. Hacker Tools Apk Download
101. Hack Tools For Pc
102. Hacker Tools Linux
103. Pentest Tools Website
104. Hack Tools 2019
105. Hak5 Tools
106. Pentest Tools Linux
107. Hacking Tools Online
108. Nsa Hack Tools Download
109. Best Hacking Tools 2019
110. Hacker Tools Hardware
111. Pentest Tools For Windows
112. Hack Tools Mac
113. Hacker Tools Hardware
114. Hacker Tools Apk