1
00:00:00,290 --> 00:00:01,740
<v ->In this lesson, I'm going to show you</v>

2
00:00:01,740 --> 00:00:03,510
how we use something like Burp Suite,

3
00:00:03,510 --> 00:00:07,670
which is a web proxy, to grab cookie and session data,

4
00:00:07,670 --> 00:00:11,100
to be able to feed it into an SQL injection.

5
00:00:11,100 --> 00:00:13,750
So to begin this SQL injection, we first

6
00:00:13,750 --> 00:00:17,490
need an SQL injection vulnerable website or database.

7
00:00:17,490 --> 00:00:19,090
And so on the left of my screen,

8
00:00:19,090 --> 00:00:21,380
you can see the Damn Vulnerable Web App

9
00:00:21,380 --> 00:00:24,150
version 1.0.7 which is being run

10
00:00:24,150 --> 00:00:27,240
inside the Metasploitable 2 virtual machine.

11
00:00:27,240 --> 00:00:29,760
My Kali machine is going to make a connection to it,

12
00:00:29,760 --> 00:00:33,330
which I've done here, to be able to access this website.

13
00:00:33,330 --> 00:00:35,580
Now the way this form works is if you put in

14
00:00:35,580 --> 00:00:38,440
a user ID, for instance, record number two

15
00:00:38,440 --> 00:00:40,920
and hit submit, back will pop up

16
00:00:40,920 --> 00:00:43,110
the first and last name of the person.

17
00:00:43,110 --> 00:00:45,970
That's all this database interaction is doing for us.

18
00:00:45,970 --> 00:00:47,940
Now, what I want to do is I want to be able

19
00:00:47,940 --> 00:00:51,020
to grab that information, stop it from being sent

20
00:00:51,020 --> 00:00:53,200
to the web server, from my browser,

21
00:00:53,200 --> 00:00:55,670
by using my web proxy, and then I can

22
00:00:55,670 --> 00:00:57,910
capture the data from it that I need.

23
00:00:57,910 --> 00:01:01,150
To do that, I have to go to my proxy setting

24
00:01:01,150 --> 00:01:03,880
inside of Burp Suite, and right now

25
00:01:03,880 --> 00:01:06,950
you can see my intercept is on.

26
00:01:06,950 --> 00:01:08,610
Now, I need to configure my web

27
00:01:08,610 --> 00:01:11,030
browser to actually use that proxy.

28
00:01:11,030 --> 00:01:12,980
So, I'm going to go down to my preferences,

29
00:01:14,720 --> 00:01:17,540
and from preferences, we're going to go to advanced,

30
00:01:17,540 --> 00:01:19,190
click on network, and then click

31
00:01:19,190 --> 00:01:21,310
on settings under connection.

32
00:01:21,310 --> 00:01:23,710
From here, we can set up the manual proxy,

33
00:01:23,710 --> 00:01:28,710
and I'm going to use the local host 127.0.0.1 on port 8080.

34
00:01:28,960 --> 00:01:32,180
This will tell it to use my burp suite tool.

35
00:01:32,180 --> 00:01:33,990
So, if I go ahead and close that,

36
00:01:33,990 --> 00:01:35,880
now if I go in and say I want to get

37
00:01:35,880 --> 00:01:38,530
record number three, notice when I submit it

38
00:01:38,530 --> 00:01:40,900
I don't get the answer back in my web browser,

39
00:01:40,900 --> 00:01:42,700
because my web browser hasn't actually

40
00:01:42,700 --> 00:01:44,760
made a connection to the web server

41
00:01:44,760 --> 00:01:46,150
that's going to get me that information.

42
00:01:46,150 --> 00:01:49,500
Instead, it sent it to the right, over to Burp Suite

43
00:01:49,500 --> 00:01:52,080
which has captured it, and notice that Burp Suite

44
00:01:52,080 --> 00:01:54,810
now has that cookie information that I need.

45
00:01:54,810 --> 00:01:56,480
It tells me the security level.

46
00:01:56,480 --> 00:01:58,570
It tells me the PHP session ID,

47
00:01:58,570 --> 00:02:00,510
and I'm going to be able to use that as part

48
00:02:00,510 --> 00:02:02,870
of my attack against this web server.

49
00:02:02,870 --> 00:02:04,130
So, the first thing I want to do

50
00:02:04,130 --> 00:02:05,650
is I want to capture some of this information.

51
00:02:05,650 --> 00:02:07,560
First, I need to know the website

52
00:02:07,560 --> 00:02:08,980
that we were trying to go to, so I'm going to

53
00:02:08,980 --> 00:02:10,910
go ahead and copy that, and I'm going to

54
00:02:10,910 --> 00:02:13,280
go ahead and go into my terminal.

55
00:02:13,280 --> 00:02:14,490
And so what we're going to do is we're

56
00:02:14,490 --> 00:02:17,490
going to use SQLmap -u, and we're going to

57
00:02:17,490 --> 00:02:19,540
provide the website that we're going to.

58
00:02:19,540 --> 00:02:21,850
So, I'm just going to paste that in,

59
00:02:21,850 --> 00:02:25,753
and then I'm going to use --cookie=,

60
00:02:26,680 --> 00:02:29,440
and I'm going to copy the information from my cookie.

61
00:02:29,440 --> 00:02:32,530
So, let me go ahead and bring that back over to Burp Suite,

62
00:02:32,530 --> 00:02:35,823
and we will copy this cookie information,

63
00:02:40,460 --> 00:02:42,010
and then we will paste that in,

64
00:02:47,450 --> 00:02:50,363
and from there, we're going to go ahead and hit enter.

65
00:02:52,490 --> 00:02:55,010
So, at this point, it's going to start querying the database.

66
00:02:55,010 --> 00:02:56,250
The first thing it notices is that

67
00:02:56,250 --> 00:02:58,090
this isn't at my SQL database,

68
00:02:58,090 --> 00:02:59,890
so it's asking do I want to skip all

69
00:02:59,890 --> 00:03:01,830
the test payloads for other databases,

70
00:03:01,830 --> 00:03:04,980
and in this case, we're going to just use the default of yes.

71
00:03:04,980 --> 00:03:06,210
And it's going to say do you want to include

72
00:03:06,210 --> 00:03:08,420
all the tests from my SQL, and we'll go ahead

73
00:03:08,420 --> 00:03:10,780
and say yes, and it's going to go through

74
00:03:10,780 --> 00:03:12,400
and start querying that database,

75
00:03:12,400 --> 00:03:15,150
and trying to do different injections.

76
00:03:15,150 --> 00:03:16,870
So, you'll notice here that it is trying

77
00:03:16,870 --> 00:03:18,730
to do different testing based on

78
00:03:18,730 --> 00:03:21,330
the version of my SQL, trying to do things

79
00:03:21,330 --> 00:03:23,940
that are stacked queries and other errors,

80
00:03:23,940 --> 00:03:26,290
to figure out what this is vulnerable to.

81
00:03:26,290 --> 00:03:28,990
So now it finds that it found an ID parameter

82
00:03:28,990 --> 00:03:32,680
that was vulnerable, that's that ID=2 or ID=3.

83
00:03:32,680 --> 00:03:33,890
Do we want to keep testing others,

84
00:03:33,890 --> 00:03:34,840
we'll go ahead and say no, 'cause

85
00:03:34,840 --> 00:03:37,133
we already found a way into this database.

86
00:03:38,450 --> 00:03:40,760
And now we're going to see everything that it found.

87
00:03:40,760 --> 00:03:42,960
So, if I go ahead and scroll up a little bit,

88
00:03:45,380 --> 00:03:47,650
we find that the get ID is vulnerable.

89
00:03:47,650 --> 00:03:49,370
We also found that it was vulnerable

90
00:03:49,370 --> 00:03:51,220
based on a Boolean-based blind.

91
00:03:51,220 --> 00:03:54,380
It was vulnerable based on an and/or time-based blind,

92
00:03:54,380 --> 00:03:57,120
and it was vulnerable based on a union query.

93
00:03:57,120 --> 00:03:58,500
We also were able to find out that

94
00:03:58,500 --> 00:04:01,820
the web server was Linux Ubuntu 8.04.

95
00:04:01,820 --> 00:04:03,340
We found the version of Apache,

96
00:04:03,340 --> 00:04:06,880
the version of PHP, and the version of this database.

97
00:04:06,880 --> 00:04:08,810
And all of that information is now saved

98
00:04:08,810 --> 00:04:12,480
to this file, as shown in green on the screen,

99
00:04:12,480 --> 00:04:14,080
but that really didn't give me a lot

100
00:04:14,080 --> 00:04:16,210
of details yet that I want to use.

101
00:04:16,210 --> 00:04:19,000
It just tells me information about our target.

102
00:04:19,000 --> 00:04:20,710
And so now what I want to do, is I want

103
00:04:20,710 --> 00:04:22,160
to enumerate the databases, so I'm going to

104
00:04:22,160 --> 00:04:26,360
add a --dbs at the end, and hit enter.

105
00:04:26,360 --> 00:04:27,610
This is going to go through and find

106
00:04:27,610 --> 00:04:30,090
what databases are on that server.

107
00:04:30,090 --> 00:04:32,650
Notice it found seven databases.

108
00:04:32,650 --> 00:04:36,108
dvwa, information_schema, metasploit,

109
00:04:36,108 --> 00:04:41,108
mysql, owasp10, tikiwiki, and tikiwiki195.

110
00:04:41,400 --> 00:04:42,930
Now, the one we want to target here is

111
00:04:42,930 --> 00:04:45,660
the dvwa, the Damn Vulnerable Web App.

112
00:04:45,660 --> 00:04:47,160
And so now that we know what database

113
00:04:47,160 --> 00:04:49,400
we want to target, which is the dvwa,

114
00:04:49,400 --> 00:04:51,630
I want to select that database with my commands.

115
00:04:51,630 --> 00:04:54,780
I'm going to go arrow up again, go backspace,

116
00:04:54,780 --> 00:04:58,410
put a capital -D, which stands for database,

117
00:04:58,410 --> 00:05:00,300
and the database I want to select,

118
00:05:00,300 --> 00:05:02,330
and then I want to enumerate it for the tables,

119
00:05:02,330 --> 00:05:05,060
to figure out what tables exist inside that database.

120
00:05:05,060 --> 00:05:08,940
So, I'm going to put --tables, and that will tell me

121
00:05:08,940 --> 00:05:10,680
what tables are associated with it.

122
00:05:10,680 --> 00:05:13,550
Go ahead and enter, and it goes through and scans,

123
00:05:13,550 --> 00:05:17,720
and it finds two tables, guestbook and users.

124
00:05:17,720 --> 00:05:19,520
So, now I want to be able to dump

125
00:05:19,520 --> 00:05:20,840
the columns from those tables.

126
00:05:20,840 --> 00:05:22,410
Again, I went from the database

127
00:05:22,410 --> 00:05:24,410
down to the table, now I want to dig in

128
00:05:24,410 --> 00:05:26,540
a little bit further and get those columns.

129
00:05:26,540 --> 00:05:29,110
So to do that, we're going to arrow up.

130
00:05:29,110 --> 00:05:30,970
We're going to backspace out of tables,

131
00:05:30,970 --> 00:05:33,650
and do -T, and give it the table we want,

132
00:05:33,650 --> 00:05:36,963
which is users, and then --columns.

133
00:05:38,730 --> 00:05:42,100
And off we go, we now have six columns.

134
00:05:42,100 --> 00:05:43,620
The user, avatar, first_name,

135
00:05:43,620 --> 00:05:46,630
last_name, password, and user_id.

136
00:05:46,630 --> 00:05:47,700
Wouldn't it be great if we can

137
00:05:47,700 --> 00:05:49,740
get those passwords for those users?

138
00:05:49,740 --> 00:05:52,940
I think it would, so let's go a little bit further here,

139
00:05:52,940 --> 00:05:54,760
and what we're going to do is arrow up.

140
00:05:54,760 --> 00:05:57,260
Take out the word columns, and put in

141
00:05:57,260 --> 00:06:01,520
the word dump, and here we go.

142
00:06:01,520 --> 00:06:03,390
Do we want to save this hashes to

143
00:06:03,390 --> 00:06:05,230
a temporary file, we'll say no.

144
00:06:05,230 --> 00:06:06,300
And what it's doing is it's grabbing

145
00:06:06,300 --> 00:06:08,780
any password hashes from the password column,

146
00:06:08,780 --> 00:06:10,360
and it's going to attempt to do

147
00:06:10,360 --> 00:06:13,210
a dictionary attack to crack them.

148
00:06:13,210 --> 00:06:14,170
And then we're just going to go ahead

149
00:06:14,170 --> 00:06:17,083
and use the standard default dictionary of number 1,

150
00:06:18,160 --> 00:06:20,140
and do we want to use common suffixes, no.

151
00:06:20,140 --> 00:06:22,030
We're just going to use the default things,

152
00:06:22,030 --> 00:06:23,500
and it's grabbed those hashes,

153
00:06:23,500 --> 00:06:25,670
and it's already starting to crack those passwords.

154
00:06:25,670 --> 00:06:27,730
Notice that I already have a password for charley,

155
00:06:27,730 --> 00:06:30,600
and abc1, and password, and letmein,

156
00:06:30,600 --> 00:06:32,730
and here it is on the screen.

157
00:06:32,730 --> 00:06:35,310
And so you can see that the first user ID is admin,

158
00:06:35,310 --> 00:06:37,870
and their password in parentheses is password.

159
00:06:37,870 --> 00:06:41,820
The second user is gordonb, and his password was abc123.

160
00:06:41,820 --> 00:06:45,970
The third username was 1337, and their password was charley.

161
00:06:45,970 --> 00:06:48,000
The fourth was pablo with letmein,

162
00:06:48,000 --> 00:06:50,360
and the fifth was smithy with password.

163
00:06:50,360 --> 00:06:52,010
Again, these are all very simple passwords,

164
00:06:52,010 --> 00:06:53,810
and easy to crack, but you can see

165
00:06:53,810 --> 00:06:55,960
the power of an SQL injection.

166
00:06:55,960 --> 00:06:58,160
We can interact directly with that database,

167
00:06:58,160 --> 00:07:00,270
because we've been able to break through

168
00:07:00,270 --> 00:07:02,500
the PHP front end, and be able to inject

169
00:07:02,500 --> 00:07:04,610
into the database, and get information

170
00:07:04,610 --> 00:07:06,590
back that we shouldn't be able to get back.

171
00:07:06,590 --> 00:07:09,710
And because SQL Map is such an easy to use program,

172
00:07:09,710 --> 00:07:13,323
it makes our injections very automated and easy to use.