DVWA SQL Injection LOW Level

1. Input 1 for the user id and hit submit to see the result.

When you hit submit the code SELECT first_name, last_name FROM users WHERE user_id = '1'; is sent to the database, and the database returns with the first_name of admin and last_name of admin and then displays this information to you.

2. Lets check and see how the form handler quotes by entering O'brien and hitting submit.

Now this return's an error, but it's still interesting because it looks like the form accepted the O' and didn't know what to do with the brien part. This means we can use the single quote in the form without problems.

3. Lets try a statement that is always true by entering O' or 1=1;-- and hitting submit.

Again we get an error, it appears not to like the -- part of our statement, the hope for using this is to comment out the rest of the query. The extra single quote at the end of the error shows us that it is expecting the single quote from user_id = ' to be closed, so lets keep trying.

4. Lets try another statement that is always true, but with some quotes in there to fix the error in the last step. Enter O' or ''=' and hit submit.

The same results can be found with 1' or '1'='1';# and hitting submit or anything else that looks similar and works out as always true.

We just got a list of all of the names of users in the database. We submitted the query SELECT first_name, last_name FROM users WHERE user_id = '1' or '1=1';#'; which says "Give me all of the first and last names of people who's user_id is equal to 1 or 1 is equal to 1 (which is always true and therefore it returns every entry). Also, the addition of the # symbol comments out the rest of the line (the goal of the -- that didn't work) so we can use that to make some more interesting queries and get some additional information.

5. Let's try and find out how many columns are in the table with some more queries. To try one column we can enter 1' ORDER BY 1;# and see what happens.

No errors return, this means there is at least 1 column in the table.
To try two columns we can enter 1' ORDER BY 2;# and see what happens.

Again no errors return, this means there is at least 2 columns in the table.
To try three columns we can enter 1' ORDER BY 3;# and see what happens.

Hurray and error! This means there is not 3 columns in the table, but only two.

6. Now let's try and find out the field names in the table. Lets start with 1' or firstname IS NULL;# and see what happens.

We get an error that tells us there is no field named firstname. Lets try again with 1' or first_name IS NULL;# and see what happens.

7. Let's try to find the table name, input O' OR users.user_id IS NOT NULL;# and submit it. This will return all of the results in the table users where the field user_id is not empty.

This is great! (and luck) we now know that the table name is users.

8. Let's try and find the database name, first we will figure out how long the database name is by using the _ character which represents 1 character. Input O' OR database() LIKE '__';# into the field and see what happens.

This returns no results, because the database name is not 2 characters long, let's try 3 with O' OR database() LIKE '___';# and pressing submit.

Still no results, so let's try 4 characters by inputting O' OR database() LIKE '____';# and submitting it.

Alright, we now know the database name is 4 characters long, let's try and figure out what they are. To save space I'm just going to do a few of the letters that are in the database name. Let's start by inputting O' OR database() LIKE '%W%';# and hitting submit.

Alright, so the query checks to see if the letter W is anywhere in the database name and we get the results returned because it is. Let's find the other letters, try O' OR database() LIKE '%V%';# and hit submit.

Alright, so it contains a V, two letters left lets do O' OR database() LIKE '%D%';# and hit submit.

And for the final letter we can do O' OR database() LIKE '%A%';# and hit submit.

Alright, so we have the letters W, V, D, and A. We unscramble them and we get DVWA of course, but to confirm we can do O' OR database() LIKE 'DVWA';# and get our results.

9. Lets find out what other tables are in this database, and thanks to the SQL-92 Standardization (ISO 9075) this is actually quite easy. SQL-92 Standardization requires the information_schema table which means we can input O' UNION SELECT table_schema, table_name FROM information_schema.tables;# and hit submit to find all of the tables in the database.

Well, that's a rather long list but still very useful. Let's gather some more information.

10. Lets get the current SQL database version by issuing the command O' UNION ALL SELECT 1, @@version;# and hitting submit.

11. How about the current database user? Let's do O' UNION ALL SELECT system_user(), user();# and hit submit.

12. Lets try and get some password hashes to be cracked later, but to do this we will need to return information not normally asked for so we will have to be a little creative with our SQL code. Enter O' UNION ALL SELECT user, password FROM mysql.user;#' and see what you get.

So this query asks for ALL username and passwords from the mysql.user table.

13. We can also load up php files as well, lets try this ' UNION ALL SELECT Load_file('/srv/dvwa-nologin/config/config.inc.php'), '1 and hit submit.

Until here only,hereinafter I have not tried.
thank's.
(good luck)

DVWA CSRF (Cross Site Request Forgery) LOW Level

Cross Site Request Forgery is very dangerous, and also quite common. OWASP describes Cross Site Request Forgery as:

 Cross-Site Request Forgery (CSRF) is an attack that tricks the victim into loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf, like change the victim's e-mail address, home address, or password, or purchase something. CSRF attacks generally target functions that cause a state change on the server but can also be used to access sensitive data.

1.       Go to the CSRF page in DVWA and Change your admin password by entering a password in the New password and Confirm new password fields and clicking the Change button.

Notice that the page is loading, but not complete. That is because we need to tell Burp Suite to forward the packet and let it finish it's process.

2.  Go to Burp Suite, click the Proxy tab, and view the password change http request and

forward it after and you will see that your Password Changed on the DVWA site.

Now the part we are interested in is the begenning of the http request which looks

something like:

http://localhost/dvwa/vulnerabilities/csrf/?

password_new=admin&password_conf=password&Change=Change#

Now all we have to do is construct a link that will perform the same function and hide it

in some html so our victim doesn't know it is happening.

just until here, if there which will continue please..

DVWA-FILE INCLUSION : LOW Level

File Inclusion (FI) is a type of vulnerability most often found on websites. It allows an attacker to include a local file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file, but depending on the severity.

1.) Open Browser And go to the DVWA web browser page (http://localhost/dvwa/Login.php)

2.) Input Username : admin and Password : password Next Login

3.) Go to the DVWA Security page and change the Script Security setting from high to low.

4.) Go to the File Inclusion page of DVWA and we will get started.

5.) Click the View Source button to see what the File Inclusion Source looks like, this will give us an idea of how this works and what we can do.

Now we can see that there is no filtering of what we include, so lets try some things out.

6.) Change the URL from http://localhost/dvwa/vulnerabilities/fi/?page=include.php to http://localhost/dvwa/vulnerabilities/fi/?page=/etc/passwd and see what happens.

As you can see, we get the contents of the passwd file and a few error messages. We now know the name of every user who can log into the local system, but what about all of the groups that exist?

7.) Again change the URL to http://localhost/dvaw/vulnerabilities/fi/?page=/etc/group and see what happens.

Again, we get the contents of the group file and some error messages. We could view the contents of any file the web server has read access. If this were a truly insecure website, we could also use this to view pages on other websites by changing the URL like we did before but instead pointing to a remote file or webpage.

DVWA COMMAND EXECUTION : LOW Level

1.) Open Browser And go to the DVWA web browser page (http://localhost/dvwa/Login.php)

2.) Input Username : admin and Password : password Next Login

3.) Go to the DVWA Security page and change the Script Security setting
from high to low.

4.) Go to the Command Execution page in DVWA and try it out to see what it does.

Based on the response we get, we can figure out that when we enter an IP address and press submit, the server executes the command ping -c 3 192.168.1.1 and tells us the result. Now lets experiment and see what else we can get out of the server.

5.) Next we try the command 192.168.1.1 ; ls and see what happens.

Great! First we get back the same ping results, but we also get the results from the ls command which tells us that there are two folders, help and source, and one file, index.php, in the directory where the commands are being executed.

6.) Lets find out where these commands are running at, and where the filed we found previously are located by issuing the command ; pwd and reviewing the results.

Now we can see that the commands are being executed in the /srv/dvwa-nologin/vulnerabilities/exec directory, and this is also where our files are located.

7.) Lets find out who we are executing the commands as and what processes are running on the machine by executing ; whoami ; ps and viewing the results.

Now we can see that we are executing commands as the www-data user and all of the processes running on the machine.

8.) Lets see if we can find out who is allowed to login to this machine with the ; cat /etc/passwd command (this could later be used to bruteforce passwords and gain superuser access).

The /etc/passwd file is a text-based database of information about users that may login to the system or other operating system user identities that own running processes.

If you go to the links listed under More info you can try out some more commands. This is just a sample of the many things that could be done.

Now lets check the source code of the vulnerable file:


High Command Execution Source
<?php

if( isset( $_POST[ 'submit' ] ) ) {

$target = $_REQUEST["ip"];

$target = stripslashes( $target );


// Split the IP into 4 octects
$octet = explode(".", $target);

// Check IF each octet is an integer
if ((is_numeric($octet[0])) && (is_numeric($octet[1])) && (is_numeric($octet[2])) && (is_numeric($octet[3])) && (sizeof($octet) == 4) ) {

// If all 4 octets are int's put the IP back together.
$target = $octet[0].'.'.$octet[1].'.'.$octet[2].'.'.$octet[3];


// Determine OS and execute the ping command.
if (stristr(php_uname('s'), 'Windows NT')) {

$cmd = shell_exec( 'ping ' . $target );
echo '<pre>'.$cmd.'</pre>';

} else {

$cmd = shell_exec( 'ping -c 3 ' . $target );
echo '<pre>'.$cmd.'</pre>';

}

}

else {
echo '<pre>ERROR: You have entered an invalid IP</pre>';
}


}

?>

Medium Command Execution Source
<?php

if( isset( $_POST[ 'submit'] ) ) {

$target = $_REQUEST[ 'ip' ];

// Remove any of the charactars in the array (blacklist).
$substitutions = array(
'&&' => '',
';' => '',
);

$target = str_replace( array_keys( $substitutions ), $substitutions, $target );

// Determine OS and execute the ping command.


Low Command Execution Source
<?php

if( isset( $_POST[ 'submit' ] ) ) {

$target = $_REQUEST[ 'ip' ];

// Determine OS and execute the ping command.
if (stristr(php_uname('s'), 'Windows NT')) {

$cmd = shell_exec( 'ping ' . $target );
echo '<pre>'.$cmd.'</pre>';

} else {

$cmd = shell_exec( 'ping -c 3 ' . $target );
echo '<pre>'.$cmd.'</pre>';

}

}
?>

Magic Number

1. In source code, some non-obvious constant whose value is significant to the operation of a program and that is inserted inconspicuously in-line (hardcoded), rather than expanded in by a symbol set by a commented #define. Magic numbers in this sense are bad style.

2. A number that encodes critical information used in an algorithm in some opaque way. The classic examples of these are the numbers used in hash or CRC functions, or the coefficients in a linear congruential generator for pseudo-random numbers. This sense actually predates and was ancestral to the more common sense

3. Special data located at the beginning of a binary data file to indicate its type to a utility. Under Unix, the system and various applications programs (especially the linker) distinguish between types of executable file by looking for a magic number. Once upon a time, these magic numbers were PDP-11 branch instructions that skipped over header data to the start of executable code; 0407, for example, was octal for ‘branch 16 bytes relative’. Many other kinds of files now have magic numbers somewhere; some magic numbers are, in fact, strings, like the !<arch> at the beginning of a Unix archive file or the %! leading PostScript files. Nowadays only a wizard knows the spells to create magic numbers. How do you choose a fresh magic number of your own? Simple — you pick one at random. See? It's magic!

4. An input that leads to a computational boundary condition, where algorithm behavior becomes discontinuous. Numeric overflows (particularly with signed data types) and run-time errors (divide by zero, stack overflows) are indications of magic numbers. The Y2K scare was probably the most notorious magic number non-incident.

The magic number, on the other hand, is 72. See The magical number seven, plus or minus two: some limits on our capacity for processing information by George Miller, in the Psychological Review 63:81-97 (1956). This classic paper established the number of distinct items (such as numeric digits) that humans can hold in short-term memory. Among other things, this strongly influenced the interface design of the phone system.

Unallocated space

Unallocated space, sometimes called “free space”, is logical space on a hard drive that the operating system, e.g Windows, can write to. To put it another way it is the opposite of “allocated” space, which is where the operating system has already written files to.

Examples.

If the operating system writes a file to a certain space on the hard drive that part of the drive is now “allocated”, as the file is using it the space, and no other files can be written to that section. If that file is deleted then that part of the hard drive is no longer required to be “allocated” it becomes unallocated. This means that  new files can now be re-written to that location.

On a standard, working computer, files can only be written to the unallocated space.

If a newly formatted  drive is connected to a computer, virtually all of the drive space is unallocated space (a small amount of space will be taken up by files within the file system, e.g $MFT, etc). On a new drive the unallocated space is normally zeros, as files are written to the hard drive the zeros are over written with the file data

Working Example

Blank Drive

A freshly formatted (NTFS) 500 GB hard drive starts with 99.9% unallocated space; we will assume its 100% to make the maths slightly easier. All of the unallocated space will be zeros, literally 00 00 00 written on the hard drives.

If a 5 GB file, e.g a large movie, is placed on the drive, then there will be 1% (5 GB)  allocated space and 99% unallocated (495 GB)

If a 10 GB database file is now added to this hard drive there will be a total of 3 % (15 GB) of allocated space and 485 GB unallocated space. New files will only be written into the remaining unallocated space.

What happens when a file is deleted

If the movie file, from the above example, is deleted the allocated space it was using will now become unallocated. I.e There will now be 2% allocated space (the 10 GB database) and 98% unallocated space.

However the data from the movie file is still on the hard drive, it does not just disappear, it just changes its status. This means that the following situation now exists:

There is 10 GB of allocated space and 490 GB of unallocated space.

Of the 490 GB, 485 GB would be all zeros, however 5 GB of the unallocated space would be the old movie data.

Until new files are written to the hard drive this movie file will remain deleted but still  recoverable from the hard drive. Even if new files are written it must overwrite the same unallocated space as the movie file, before the movie file is destroyed.

slack space

slack space is The unused space in a disk cluster. The DOS and Windows file systems use fixed-size clusters. Even if the actual data being stored requires less storage than the cluster size, an entire cluster is reserved for the file. The unused space is called the slack space.

DOS and older Windows systems use a 16-bit file allocation table (FAT), which results in very large cluster sizes for large partitions. For example, if the partition size is 2 GB, each cluster will be 32 K. Even if a file requires only 4 K, the entire 32 K will be allocated, resulting in 28 K of slack space. Windows 95 OSR 2 and Windows 98 resolve this problem by using a 32-bit FAT (FAT32) that supports cluster sizes smaller than 1K.