Tips for an Information Security Analyst/Pentester career - Episode 11: Mutillidae II (brief introduction)
Mutillidae II is another vulnerable web application created by OWASP in order to test a web application for security vulnerabilities resulting from insecure coding and how to prevent them.
Over this episode, I am going to perform a basic SQL injection and a quick command injection.
We might also use blind SQL injection with Mutillidae, as I'm gonna show in a coming post.
The difference with a plain SQL injection attack is that, in the blind approach, we won't try entering commands in an input field, but we'll use an application to do that for us.
Such different approach can allow for a much faster attack and is recommended in case of input validation, where inputting injection attacks manually would be no use.
a) Quick SQL injection
We start out with the user lookup page. No user was created for this interface yet.
Therefore, I type in a random username (bla), followed by a '.
The website very kindly returns us an error message indicating the database uses MySQL as a backend language.
This information allows us to successfully attack an input field, through an injection attack I had used in my Ethical Hacking class.
So, after creating a new user called bla, I was able to retrieve all users in the database.
I only had to enter bla as a username and the highlighted injection in the password field (' or 1= '1).
b) Command injection
Another part of the application is vulnerable to command injection.
The DNS lookup page is supposed to lookup an IP address, by returning its corresponding hostname.
However, it allows to concatenate a command within the input field.
This can be done by using "&&" (under Windows) or ";" (with UNIX/Linux).
I simply concatenated the DIR command to the IP address (192.168.1.78 && dir), obtaining the full listing of the C:\xampp\htdocs\mutillidae folder.
Of course, the IP address can be different, in your case. It might even be 127.0.0.1, but it's not very relevant, it's just something we need to have.
What we care for is the command we attach to that.
Of course, the IP address can be different, in your case. It might even be 127.0.0.1, but it's not very relevant, it's just something we need to have.
What we care for is the command we attach to that.
This shouldn't anyway be going on, we shouldn't have access to this information.
Bringing this attack to the next level, we might upload a reverse shell to the server.
Wrap-up
Mutillidae II is another very interesting OWASP 10 project, allowing to safely test issues caused by vulnerabilities and coding bugs in web applications and to study how to fix them.
Here I barely scratched the surface, but it's a powerful tool, whose functionalities are way more advanced.
We'll see more hands-on implementations of it over the coming posts.
Comments
Post a Comment