Contenu connexe Similaire à Ceh v8 labs module 14 sql injection (20) Ceh v8 labs module 14 sql injection1. C E H
Lab M a n u a l
S Q L In je c t io n
M o d u le 1 4
2. M odule 1 4 - S Q L In jectio n
S Q L
Injection
S O L i j c i n i a technique o t n used t attack a w b i e Iti themost cowwon
neto s
fe
o
est. s
website v l e a i i y on t e I t r e .
unrblt
h nent
I C ON
Valuable
information
Test your
** Web exercise
m
Lab Scenario
KEY
Workbook re
A SQL injection attack is done by including portions ot SQL statements 111 a web
form entry field 111 an attempt to get the website to pass a newly formed rogue SQL
command to the database (e.g., dump the database contents to the attacker). SQL
injection is a code injection technique that exploits security vulnerability 111 a
website's software. The vulnerability happens when user input is either incorrectly
filtered for string literal escape characters embedded 111 SQL statements or user
input is not strongly typed and unexpectedly executed. SQL commands are thus
injected from the web form into die database of an application (like queries) to
change the database content or dump the database information like credit card or
passwords to die attacker. SQL injection is mosdy known as an attack vector for
websites but can be used to attack any type of SQL database.
As an expert e th ic a l h ack er, you must use diverse solutions, and prepare
statements with bind variables and wliitelisting input validation and escaping. Input
validation can be used to detect unauthorized input before it is passed to the SQL
query.
Lab Objectives
The objective of tins lab is to provide expert knowledge on SQL Injection
attacks and other responsibilities that include:
■ Understanding when and how web application connects to a database
server 111 order to access data
&
Too ls
d e m o n s tra te d in
th is lab a re
a v a ila b le in
D:CEH-
■ Extracting basic
SQ L in je c tio n fla w s
■ Testing web applications for b lin d
and v u ln e ra b ilitie s
SQ L in je c tio n v u ln e ra b ilitie s
■ Scanning web servers and analyzing the reports
■ Securing information in web applications and web servers
Too lsC E H v8
M o du le 14 SQL
In je c tio n
Lab Environment
To earn* out die lab, vou need:
■ A computer running W in d o w s
■
W in d o w 7
S e rv e r 2 0 1 2
miming 111 virtual machine
■ A web browser with an Internet connection
■ Administrative privileges to configure settings and run tools
C E H Lab Manual Page 782
Ethical Hacking and Countermeasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
3. M odule 1 4 - S Q L In jectio n
Lab Duration
Time: 50 Minutes
Overview of SQL Injection
SQL injection is a technique used to take advantage ot n on -valid ated input
vulnerabilities to pass SQL commands through a w e b ap p lic a tio n for execution by
a backend database.
E
task
1־
O v e rv ie w
Lab Tasks
Recommended labs to assist you in SQL Injection:
■ Performing b lin d
SQ L in je c tio n
■ Logging on without v a lid
■ Testing for SQ L
c re d e n tia ls
in je c tio n
■ Creating your o w n
user account
■ Creating your o w n
d a ta b a s e
listing
■
D ire c to ry
■
D e n ia l-o f-s e rv ic e
attacks
■ Testing for SQL injection using the IB M
S e c u rity A p p S c a n
tool
Lab Analysis
Analyze and document the results related to the lab exercise. Give your opinion on
your target’s secuntv posture and exposure.
P LE A SE
C E H Lab Manual Page 783
TA LK
TO
Y O U R IN S T R U C T O R IF Y O U
R E L A T E D TO T H IS LAB.
H A V E
Q U E ST IO N S
Ethical Hacking and Countenneasures Copyright © by EC-Comicil
All Rights Reserved. Reproduction is Stricdy Prohibited.
4. M odule 1 4 - S Q L In jectio n
S Q L
Injection A t t a c k s o n
M S
S Q L
D a t a b a s e
S O L i j c i n i a ba cattack used e t e t gain unauthorised a c s t a database
neto s
si
ihr o
ces o
or t r t i v information d r c l from the database.
o eree
iety
I C ON
/
KEY
Valuable
mtomiation
Test your
** Web exercise
m
Workbook re
Lab Scenario
Today, SQL injection is one ot die most common and perilous attacks that website’s
software can experience. Tliis attack is performed on SQL databases that have weak
codes and tins vulnerability can be used by an attacker to execute database queries to
collect sensitive information, modify the database entries, or attach a malicious code
resulting 111 total compromise of the most sensitive data.
As an Expert p e n e tra tio n te s te r and se c u rity ad m in is tra to r, you need to test web
applications running 011 the M S SQL S e rv e r database for vulnerabilities and flaws.
Lab Objectives
Tlie objective of tins lab is to provide students with expert knowledge 011 SQL
injection attacks and to analyze web applications for vulnerabilities.
111 tins lab, you will learn how
■ Log 011 without v a lid
■ Test for SQ L
to:
c r e d e n tia ls
in je c tio n
■ Create your o w n
■ Create your o w n
H
Too ls
d e m o n s tra te d in
th is lab a re
a v a ila b le in
D:CEHToo lsC E H v8
M o du le 14 SQL
user account
d a ta b a s e
■
D ire c to ry
listing
■ Execute d e n ia l-o f-s e rv ic e attacks
Lab Environment
To earn ־out die lab, you need:
In je c tio n
■ A computer running W in d o w
C E H Lab Manual Page 784
S e rv e r 2 0 1 2
(Victim Maclinie)
Ethical Hacking and Countemieasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
5. M odule 1 4 - S Q L In jectio n
■ A computer running W in d o w
■
MS SQL S e rv e r
8
(Attacker Machine)
must be running under local system privileges
■ A web browser with an Internet connection
Lab Duration
Time: 30 Minutes
Overview of SQL Injection Attacks
SQL injection is a basic attack used eidier to gain u n au th o rized a c c e s s to a
database or to re trie v e information directly from die database. It is a fla w m w e b
a p p lic a tio n s and not a database or web server issue. Most programmers are still not
aware of diis direat.
Lab Tasks
is used when a web application is v u ln e ra b le to SQL
injection but the results of the injection are n o t v is ib le to die attacker.
B lind SQ L in je c tio n
Log on w ith o u t
V a lid C red en tia ls
Blind SQL injection is identical to normal SQL injection, except diat, when an
attacker attempts to exploit an application, rather dian seeing a useful error message,
a g e n e ric c u s to m p a g e displays.
TASK1
1. Run diis lab 111 F ire fo x . It will not work 111 Internet Explorer.
Try to log on using
code ' or
— as login
1=1
2. Open a web browser, type h ttp ://lo c a lh o s t/re a lh o m e
and press E n ter.
3. The H o m e
page
111 die
address bar,
of Real Home appears.
וי ־ ליי ־
m
A dpiamically
generated SQ L query is
used to retrieve the number
o f matching rows.
F IG U R E 1.1: Old House Restaurant home page
Assume diat you are new to diis site and have never re g is te re d with diis
website previously.
•צ
Now log in widi code:
blah' or 1=1 --
C E H Lab Manual Page 785
Ethical Hacking and Countemieasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
6. M odule 14 - S Q L In jectio n
6.
__ W hen the attacker
|/
enters blah’ or = , then
the S Q L query look like
this:
Enter any password 111 the P a s s w o rd held or leave die password held
empty.
7. Click Log in or press E n te r.
1 1
S E L E C T Count(*) FR O M
Users W H E R E
UserName=’blah' O r 1=1 A N D Password=".
F IG U R E 1.2: Old House Restaurant login page
You are logged 111 to die website widi a take login. Your credentials are not
valid, but you are logged in. Now you can browse all the web pages ot die
website as a registered member. You will get a Logout link at die uppercorner of die screen.
ט
A user enters a user
name and password that
matches a record in the
Users table.
Reai Home!
F IG U R E 1.3: Old House Restaurant web page
You have successfully logged on to die vulnerable site and created your own
database.
TASK2
TASK
2
C rea tin g Y o u r
O w n U s er
Account
C E H Lab Manual Page 786
C r e a te a u s e r a c c o u n t
using an SQL injection query.
9. Open a web browser, type h ttp ://lo c a lh o s t/re a lh o m e and press E n ter.
10. The home page ot Real Home appears.
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
7. M odule 1 4 - S Q L In jectio n
T ry to insert a string
value where a number is
expected in the input field.
F IG U R E 1.4: Old House home page
11. Enter die query
b la h 1; i n s e r t in to lo g in values ( יj u g g y b o y j u g g y l 2 3 ' ) ; —
in die Login name field and enter any password 111 die P a s s w o rd held or
leave die P a s s w o rd field empty. 111 tins query, ju g g y b o y is the username,
and ju g g y 1 2 3 is the password.
U=!l To detect SQ L
Injection, check if the web
application connects to a
database server in order to
access some data.
12. After executing the query you will be redirected to die login page; tins is
normal.
13. Try
ju g g y b o y
as the username, and ju g g y 1 2 3 as the password to log in.
14. Click L o g in or press E n te r.
It y j Erro r messages are
essential for extracting
information from the
database. Depending on
die type o f errors found,
you can vary the attack
techniques.
F IG U R E 1.5: Old House Login page
15. If no error message is displayed on die web page, it means diat you liave
successfully created your logui using SQL injection query.
16. To v e rify whether your login has been created successfully, go to the
login page, enter ju g g y b o y 111 the Log in N a m e field and ju g g y 1 2 3 111 the
P a s s w o rd field, and click Login.
Understanding the
underlying SQ L query
allows the attacker to craft
correct S Q L Injection__________________________________________________________________________________________________________________________
M anual Page 787
E th ic a l H ackin g and Counterm easures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
8. M odule 1 4 - S Q L In jectio n
6
F IG U R E 1. : Old House Login page
17. You will login successfully with the created login. Now you can access
all the features of the website.
Go to S ta r t menu apps and launch
and login with the credentials.
SQ L S e rv e r M a n a g e m e n t S tu d io
m
Different databases
require different SQ L
syntax. Identify die
database engine used by the
server.
F IG U R E 1.7: Old House Login page
M TAS *
TASK3
3
C re a te Y o u r O w n
D a ta b a s e
3
Open a web browser, type h ttp ://lo c a lh o s t/re a lh o m e
and press E n ter.
19. The
C E H Lab Manual Page 788
Hom e Page
111 the
address bar,
of Real Home appears.
Ethical Hacking and Countemieasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
9. M odule 1 4 - S Q L In jectio n
,Z
Most injections land in
the middle o f a S E L E C T
statement.
a SELEC T
clause, we almost always
end up in die W H E R E
section.
111
F IG U R E 1.8: Old House Home page
20.
111 the Log in N a m e
field, type
b la h 1;c r e a te database juggyboy; —
and leave the
2 1 . 111
P a s s w o rd
field empty. Click Login.
this query, ju g g y b o y is the name of the database.
m
Mosdv die error
messages show you what
D B engine you are working
oil with O D BC errors. It
displays database type as
part o f the driver
information.
F IG U R E 1.9: Old House Login page
22. No error message or any message displays on die web page. It means diat
die site is vulnerable to SQL injection and a database with die name
juggyboy has been created at die database server.
Try to replicate an
error-free navigation, which
could be as simple as ' and
'1' = '1 O r ' and '1' = '2.
C E H Lab Manual Page 789
23. When you open M ic ro s o ft SQ L S e rv e r M a n a g e m e n t
D a ta b a s e you can see the created database, ju g g y b o y .
S tu d io ,
under
Ethical Hacking and Countenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
10. M odule 1 4 - S Q L In jectio n
Vi
Time delays are a
type o f blind S Q L Injection
that causes die SQ L engine
to execute a long-running
query or a time delay
statement, depending on
the logic injected.
F IG U R E 1.10: Microsoft SQ L Server Management Studio
T A S K
5
D e n ial-o f-S ervice
A tta c k
24. Open a web browser, type h ttp ://lo c a lh o s t/re a lh o m e
and press E n ter.
25.
The
H om e Page
111 the
address bar,
of Real Home is displayed.
Once you determine
the usernames, you can
start gathering passwords:
Username: ' union select
passw ord,l,l,l from users
where username = 'admin'■
F IG U R E 1.11: Old House Home page
26.
111 die Login n a m e
held, type
b la h '; e x e c m a s te r. . xp_cm dshell , p in g
w w w .c e rtifie d h a c k e r.c o m -1 65000 - t ' ;
and leave the
27.
m
The attacker dien
selects the string from the
table, as before:
P a s s w o rd
field empty, and click
Login.
111 the above query, you are performing a ping for the
www.cert1t1edhacker.com website using an SQL injection query: -I is the
send buffer size, and -t means to ping the specified host until stopped.
Username: ' union select
re t,l,l,l from foo—
M icrosoft O L E D B
Provider for O D BC
Drivers error '80040e07'.
C E H Lab Manual Page 790
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
11. M odule 1 4 - S Q L In jectio n
c a Use the bulk insert
statement to read any file
on the server, and use bcp
to create arbitrary text files
on the server.
F IG U R E 1.12: Old House Login page
28. The SQL injection query starts pinging die host, and die login page shows a
W a itin g fo r lo c a lh o s t... message at the bottom left side of die window.
29. To see whether die query has successfully executed or not and ping is
running, open your T a s k M a n a g e r window.
30. hi T a s k
under the D e ta ils tab, you see a process called
running 111 the background.
M a n a g e r,
P IN G .E X E
31. Tins process is die result of die SQL injection query diat you entered 111 die
login held of the website.
m
Using the
sp_OACreate,
sp_OAMethod and
sp_OAGetProperty system
stored procedures to create
O ld Automation (ActiveX)
applications that can do
everything an A SP script
can do.
Task Manager
fie
Option*
1-
! ם
*
V1
ev»
P'ccesses 1 Performance 1 Users Detail! Services 1
Nam*
PID
j p n t.[a
> ?fcteaedSearch «e
350
1956
יReporingServicesSer. 1800
Statue
Running
Running
Running
Liter name
SYSTEM
Administra
CPU KAerrcrv (p._ Detfnptian
972 K TCP/IP Ping Command
00
00
3,536 K PretectedSearch
ReportSeive
00
580
252
3340
402S
Running
Running
SYSTEM
SYSTEM
00
00
Running
Running
Administra.
Administra
05
00
3844
Running
Administra.
00
[ יsnmoe<e
<H 3plAO.%
T
64.EJC
2016
3460
Running
Running
SYSTEM
Administra.
00
00
0 9 spcclsv.exe
1200
1612
Running
Running
SYSTEM
SYSTEM
00
00
$er/ices.exe
L i 5n«cit32.exc
f / f Sna51tEdtor.ee
1 ' יSnccFnv cxc
*
:!LLsqliwvT.ece
[■2 jql»wkef.exe
31svcagnt.exe
־׳
52,644K
Reporting Ser/ices Service
3,628 K Services and Controller app
296 K Alndows Session Manager
32,264 K Snagit
19,724 K Snagit Editor
1,168 K insert RPC Helper
2.764 K SNMP Service
1,112 K Print driver host for applications
2.568K Spooler SubSystem App
34,292 K SQL Server W1
ndo-A ״NT - 64 Bit
s
2644
Running
SYSTEM
00
1336
1172
e95
Running
Running
5Y5TEM
SYSTEM
00
00
5,436 K Amdows Desfctcp Agent
2,696K Aindov/: Desktop Agent
5 svchost«xc
736
Running
Running
SYSTEM
NETWORK..
00
00
1.972 K Host Process for Windows Services
3,164 K Host Process for Windows Services
(L3schosLexe
Q tv d v x tm
808
872
Running
Running
LOCAL SE...
SYSTEM
00
00
) יviJ ka Lcac
■''׳svchost.exe
[? i r .c h o jto c
7 י יsvchost exe
908
Running
Running
LOCAL SE...
00
NE1W0RK.
LOCAL CL..
00
00
6,188 K Ho»t Protest for Windoiv* Services
6,596 K Host Process for Windows Services
■*,324K 1lo*t Proecsi for Wirdo«v* Scrviccj
Running
SYSTEM
00
=
1,164 K SQL Server VSSWriter 64 ־Bit
3 svcognt.cxe
1 1 svchostexe
•
1
—
2.784 K Host Process for Windows Services
@
996
700
1238
7.372K
13.432K
Host Process for Windows Services
Mod Protect for Wmdowt Service?
Ftvve! dctiis
|
End task
|
F IG U R E 1.13: Task Manager
32. To manually kill dns process, nght-click die PING.EXE process and select
End P ro c e s s . This stops pinging of the host.
Lab Analysis
Analyze and document the results related to die lab exercise. Give your opinion on
your target’s security posture and exposure.
C E H Lab Manual Page 791
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
12. M odule 14 - S Q L In jectio n
Tool/Utility
Information Collected/Objectives Achieved
■ Login id: 1003, 1004
■ Login Username: juggyboy
■ Password: juggvl23
SQL Injection
Attacks on MS
SQL Database
PLE A SE
TA LK
TO
YO U R
IN ST R U C T O R
RELA T ED .
IF
YOU
H A V E
Q U E ST IO N S
Internet Connection Required
□ Yes
0 No
Platform Supported
0 Classroom
C E H Lab Manual Page 792
0 iLabs
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
13. M odule 1 4 - S Q L In jectio n
L a b
T e s t i n g for S Q L
Injection U s i n g
Security A p p S c a n
I CON
KEY
/ Valuable
information
y
Test your
knowledge
s
Web exercise
m
Workbook review
I B M
T ool
I B M Seen1f AppScan i a web appl tio s c r t t s i gt olthatautomates
7y
s
ica n e u i y e t n o
v l e a i i y a s s me s prevents S O L i j c i n attacks on w b i e , and scans
u n r b l t s e s nt ,
neto
ests
web es embedded malware.
sit for
Lab Scenario
By now, you are familiar with the types of SQL injection attacks an attacker can
perform and the impact caused due to these attacks. Attackers can use the
following types of SQL injection attacks: authentication bypass, information
disclosure, compromised data integrity, compromised availability of data, and
remote code execution, which allows them to spoof identity, damage existing
data, execute system-level commands to cause denial of service of the
application, etc.
In the previous lab you learned to test SQL injection attacks on MS SQL
database for website vulnerabilities.
As an expert s e c u rity p ro fe s s io n a l and p e n e tra tio n t e s t e r of an organization,
your job responsibility is to test the company’s web applications and web
seivices for vulnerabilities. You need to find various ways to extend security
tests and analyze web applications, and employ multiple testing techniques.
Moving further, in this lab you will learn to test for SQL injection attacks using
IBM Security AppScan tool.
H
Too ls
Lab Objectives
d e m o n s tra te d in
th is lab a re
a v a ila b le D:CEHToo lsC E H v8
M o du le 14 SQL
In je c tio n
The objective of tins lab is to help students learn how to test web applications for
SQL injection threats and vulnerabilities.
111 tins lab,
you will learn to:
■ Perform website scans tor vulnerabilities
■ Analyze scanned results
■ Fix vulnerabilities in web applications
C E H Lab Manual Page 793
Ethical Hacking and Countemieasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
14. M odule 1 4 - S Q L In jectio n
■ Generate reports for scanned web applications
Lab Environment
m
You can download
IB M AppScan from
http://www
.ibm.com.
To earn ־out die lab, you need:
■
-01
S e c u rity A p p S can
located at D:CEH -ToolsC EHv8
M o du le 1 4 SQL
ln jec tio n S Q L In je c tio n D e te c tio n ToolsMBM S e c u rity A p p S can
■ A computer running Window Server 2012
יDouble-click on S E C _ A P P S _ S T D _ V 8 .7 _ E V A L _ W IN .e x e to install
■ You can also download the latest version of S e c u rity A p p S c a n from
the link http: / / www01 ■b 111.com/software/awdtools / appscan/standard
1
C Q Supported operating
systems (both 32-bit and
64— editions):
bit
■ Windows 2003:
Standard and Enterprise,
SP1 and SP2
■ A web browser with Internet access
■ Microsoft .NET Framework Version 4.0 or later
■ Windows Server 2008:
Standard and Enterprise,
SP1 and SP2
Lab Duration
Time: 20 Minutes
Overview of Testing Web Applications
Web applications are tested for implementing security and automating vulnerability
assessments. Doing so prevents SQL injection attacks 011 web servers and web
applications. Websites are tested for embedded malware and to employ a multiple of
testing techniques.
TASK
1
T e s tin g W eb
A p p lica tio n
Lab Tasks
1. Follow the wizard-driven installation steps and install die IBM Security
AppScan tool.
2. To launch IB M S e c u rity A p p S can move your mouse cursor to die lowerleft corner ot your desktop and click S tart.
m
A personal firewall
running on die same
computer as Rational
AppScan can block
communication and result
in inaccurate findings and
reduced performance. For
best results, do not run a
personal firewall on the
computer that runs
Rational AppScan.
F IG U R E 2.1: Window's Server 2012 Desktop view
C E H Lab Manual Page 794
Ethical Hacking and Countemieasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
15. Module 14 - SQL Injection
3. Click die IB M
S e c u rity A p p S can S tan d ard
app from S ta rt menu apps.
S ta rt
S
e׳vw
sunagef
us
You can configure
Scan Expert to perform its
analysis and apply some of
its recommendations
automatically, when you
start the scan.
F=
wnOowi
Powiyietl
hypei-v
Manage־
Amhmic-.
!ester
Comeaitest
0
*
FnrodeD.
Fip^sxm
ז»ז
©׳
y
a
SOI Server
Manage
S
<udio
V
*
< fi
Wiwoie
updates
Control
Panel
*
Morlla
Cifefo*
* ־
rm rxler
e
Google
Chrccne
1
IBM
becurny
AppScon...
.
*>
#
HTTP
Raqiiacl
Cdtor
P
%
Tokwi
Analyrm
A
n
F IG U R E 2.2: Windows Server 2012 Desktop view
4. The mam window of IB M S e c u rity
S c a n ... to start die scanning.
A p p S can
—
appears; click C re a te
New
/ AppS can can scan
both web applications and
web services.
F IG U R E 2.3: IB M Rational AppScan main window
5. Li die N e w
N o te: 111
S can
wizard, click die d e m o .te s tfire .n e t hyperlink.
die evaluation version we cannot scan odier websites.
Malware test uses
data gathered during the
explore stage o f a regular
scan, so you must have
some explore results for it
to function.
C E H Lab Manual Page 795
Ethical Hacking and Countenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
16. M odule 1 4 - S Q L In jectio n
New Scan
Recent Templates
Predefined Templates
Regular Scan
C*> B row se...
Q
Q uick and L ig h t Scan
2
C o m p re h e n sive Scan
^
P aram eter-B ased N a v ig a tio n
W ebS phere C om m erce
£ 3 W ebS phere P ortal
I x l d e m o .te s tfire .n e T |
Hacm e Bank
M Launch Scan Configuration Wizard
Help
Cancel
F IG U R E 2.4: IB M Rational AppScan—New window
m
One o f die options in
the scan configuration
wizard is for Scan Expert
to run a short scan to
evaluate the efficiency o f
the new configuration for
your particular site.
6.
111 die S can C o n fig uratio n W izard,
select W eb
A p p lica tio n S can,
and click
N ext.
*
Scan Configuration Wizard
W e lco m e lo th e C o n fig u r d tio n W iz a rd
Th# Configurator M
12ard will hdp you cort«gur♦ a n•* *car b!s«d or th* scan tampbtt: dorr*.tootfir*.net
Select the type of scan you wish to yxlcxrr
| (3) Web Application Scon |
O Web £*rwc• Scar
Tho GSC VJob Sorvicos rocordot is net irctal «e
DowrlQBd GSC 1
vw
General Tasks
1 55~ ]
ד־
F IG U R E 2.5: IB M Rational AppScan —Scan Configuration Wizard
7.
111 URL and S erve rs
options, leave the settings as tlieir defaults and click
N ext.
Scan Configuration Wizard
Si) SMrnno יאיי
Sartthoosan fromthe URL:
//׳demo teettire ret. I
^~/ There are some
For exarple• http־
//de1D resrfire net/
0
□ Scan only lirks in and below ttos direcw/
changes diat Scan Expert
can only apply widi human
intervention, so when you
select the automatic option,
some changes may not be
applied.
W! Case-Sensitive Path
Treet all paths as case-sensitive (Unix. liru x efc)
&) Additional Servers and Domains
Indude the foloAirc adcitcra servers and ctorars in ±is *
d
I need to configjt« aoditoral conMcbvity cednge (proxy. HTTP Authentication
X W I 5c*1 cort'»3urator
* rd
^ ־p
C E H Lab Manual Page 796
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
17. M odule 1 4 - S Q L In jectio n
2
F IG U R E 2.6: IB M Rational AppScan —Scan Configuration W i ard
111 Login M a n a g e m e n t, select option A u to m a tic and enter the user name
details as Username: js m ith and Password: D e m o 1 2 3 4 and click N ext.
-
Scan C onfigu ra tion W izard
U L2nd Servers
R
W,' login Method
Login Management
Use :hefollowing method to log 1*
O Recorded (Recommended)
O Prompt
| (j*) Automatic |
JserName: |?nrh
O None
Password • • • • •
Ccrfrm Pawvfcfd. • • • • •
m
T lie total number o f
tests to be sent, or U R Ls to
be visited, may increase
during a scan, as new links
are discovered.
!!)•session detecjon !& et-0UeC. but Icon cieOeniab l<r.e ret yet teen vet Tied
General Tasks
I I I want to configure 1 -Seeeicn eetectcri optens
0
X *ייS*Cnwcr
יc1o^ ao
I
< Back
|Next •
י
ך
F IG U R E 2.7: IB M Rational AppScan Scan Configuration window
9.
111 T e s t P o licy
options, click N e x t to continue.
r
*־
Scan C onfigu ra tion W izard
U Land Servers
R
Login M
anagement
Test Policy
ki) rest Polk־y
Default
Ueth T o P lic f r40 c n
s is ot o y o 1s a
rol<yMcs
Thit polcy include* alltect* except !rvaer✓• a ־d
prrt lsl#n»r te«rs
/ Security Issues view
shows the actual issues
discovered, from overview
level down to individual
requests/responses. Tins is
the default view.
Recent Policies
g ) De*'ault
£
3'CWS#..
=
Predefined Pokdn
£ } Default
r f l Applicafccn-Oniy
Q Infrastructure-Only
£ ] Hik'd Party-Only
v
E
General Tasks
V] Seed tees on login and ogoj: paces
✓( Clear session identifiers befo־c losing !cgir osgcs
F IG U R E 2.8: IB M Rational AppScan Full Scan window
10. Click Finish to complete die Scan
C o n fig uratio n W izard.
־P I
Scan Configuration Wizard
m
Results can display in
three views: Security Issues,
Remediation Tasks, and
Application Data. T lie view
is selected by clicking a
button in the view selector.
The data displayed in all
three panes varies with tlie
view' selected.
U Land Servers
R
Login M
anagement
Tost Policy
Com
plete
W Complete Scan Cuuftouratiu■ VTItard
You hose successful 1/ completed t* »־Scar Conifurabo• .*fcard
Hw o o w rttosari?
o dyu a
[ (§ ־Stan a full autoT tic scan
■
a
j
C Slorl with auiometc Explore only
C Sian wth Manual Explore
O I will start the scan later
3 Stdrt Scan Expert *hen Scan Corfourctcn Y/zar d is axrotetc
Ger»eral T«»k>
X W « Cnartr
!5 יof uac
t
* fd
j» p
C E H Lab Manual Page 797
I
<Back
||
hn1Bh~
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
18. M odule 1 4 - S Q L In jectio n
F IG U R E 2.9: IB M Rational AppScan Full Scan window
11. When die A uto S a v e window prompts you to save a u to m a tic a lly
scan, click Y e s to save die file and proceed to scan.
X
Auto Save
•J
during
The scan needs to be saved now because AppScan is set to Automatically save during scan'.
Would you like to save the scan now?
Click Yes' to save the scan now.
Click No' to disable Automatically save during scan' fof this scan only.
Click Disable' to disable Automatically save during scan' for this and future scans.
Remediation Tasks
view provides a To D o list
o f specific remediation
tasks to fix the issues found
by die scan.
Yes
||
No
||
Disable
j
F IG U R E 210: Auto Save window
12. Security AppScan starts scanning die provided URL for vulnerabilities.
.
l
__ The Result List
displays the issues for
whatever item is selected in
the application tree. These
can be for:
י
Root level: A ll site issues
display
■ Page level: A ll issues for
die page
■ Parameter level: A ll
issues for a particular
request to a particular
page
* j*
,« > — »
9 t‘.
•
it___
F IG U R E 2.11: IB M Rational AppScan Scanning Web Application window
N o te: It will take a lot of time to scan die complete site;
stopped before scanning is complete.
111
diis lab we have
13. After die scan is complete, die application lists all die security issues and
vulnerabilities 111 die website.
14. Results can be displayed 111 diree views: Data, Issues, and Tasks.
15. To view die vulnerabilities and security issues in particular website click die
Issues tab.
You can export die
complete scan results as an
X M L file or as a relational
database. (The database
option exports die results
into a Firebird database
structure. This is open
source and follows O D BC
an d JD B C standards.).
C E H Lab Manual Page 798
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
19. M odule 1 4 - S Q L In jectio n
FIG U RE 2.12: IBM Rational AppScau Scanning Web Application Result window
TASK
2
A n a ly ze R esu lt
16. To analyze die scan results, click any of die results, such as
to list all die links diat are vulnerable to SQL injection.
£ I*
•>
P •
.•־
SQL In jec tio n ,
~.i
1
יJ5L-
s a p
(^CS dtSItib 2
c0־M.1C i a•:■׳'זז
Oa :r •דn1,
M• p.j
■
■ ־
. » ׳Cl- י ״»״
, •
t__ / The severity level
assigned to any issue can be
changed manually by rightclicking on die node.
I
1
JcraierttmwliKrtcati
• *tm*
0זClrtj1>h!
1 >i^n
» tx r:
M
I*A > <y (ta
I
F IG U R E 2.13: IB M Rational AppScan Scanning Web Application Result window
m
Result Expert
consists o f various modules
that are used to process
scan results. The processed
results are added to the
Issue Information tab of
the Detail pane, making die
information displayed there
more comprehensive and
detailed, including screen
shots where relevant.
17. Click die A dviso ry ta b
ol diat particular link.
I*
111 die
bottom pane ol die window to see the severity
*— i** ־I — b-r
*
•
> *^I■ C^Afqt p SU[aM
Vp! Wv twfdu ) w b
lt ! ni a i 1n n .
n
f
^
ך
£,•W ---- llfim״t--z~-----M I 4 fljas.*,* % —
M
,
^ rviUB.,.* ■
1
>.ן
j
©&
- ----,** *״
* -״
1 *,-^ .): ),״.׳.״״־
Tothnid Ootoiptor
stivr. • nca
T e M v » W5 S/sea»0k»sscc״un Tvjs0 c o < a ;• te e b ttv u t>lo> *o v
h 1 >y a e
e e n 1 ^ - O y ser! חe c o n
Te
h׳f*»e f tteise'tas apt( •snBias vsentntart ־O e 1 3 •asth p s w rd th SQ < e w
e» 24
e a s o , e . n t/ ill
Ict■ ________________________
o tttM
«> J*g
m
The Security Report
reports security issues
found during the scan.
Security information may
be very extensive and can
be filtered depending on
your requirements. Six
standard templates are
included, but each can
easily be tailored to include
or exclude categories of
information.
♦ HT
* TF
5 r J7U
«t
F IG U R E Z14: IB M Rational AppScau Scanning Web Application Result window
18. To fix diese direats and vulnerabilities, click F ix
a list of advice for fixing these vulnerabilities.
[H• I*•
ס
R e co m m en d a tio n
y p. j o
to view
e 0
(m < wU
o <n9
'•jiUiauitllM ■ I74.'««f*ll» M V n lM< n
p te 9 « 1
r .0 (V (U r««- V « n
1M 1»d v»» - 4 g
f 0 0 “ יN alytoW k MF aJ.tM
• "׳u
iHM )« -W
3 p n e coretrjctifrat mte1
r re d s
a
£ u ™ « AITMTC B ( ״njbUJ
E <״W3
B
•tfOly Atttb יוSow ״C
* vr
uc
l
( Se>wer mcnttnntjlrimttujt*bwdj»ccets
2 t u Kgu j x
gP
i 4«וayet ftf Oed3qt/r i hdi soj lmi n Ow
f w » ־nt» tc a*r O. ot p c ca c t *
p f n at t
5wpnbaepuu.trertQnengnvu19nwxa11ao
!חgיto«ptctnt*aCtX epdta3d8«etJj.cl ־ ׳fcf
•מ*אet 0scdtap iyjiw at » u!in n.* t
y cw>
o a
t
y » t 0 uK
1)snogf
3
-aoe'w;־
•vuou^ mpW Mea a Kipt nteaus
uoces tre e r jmM i :0i rM eiM s.
n o n t e e ew o Mn t k
r
H> *(n (clvci^u
teo e1«k.
F IG U R E 2.15: IB M Rational AppScan Scanning Web Application Result window
C E H Lab Manual Page 799
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
20. M odule 14 - S Q L In jectio n
—
T A S K
3
G e n e ra te R epo rt
19. After Rational AppScan assesses your site's vulnerability, you can generate
customized reports configured for die various personnel 111 your
organization.
20. You can open and view die reports from within Security AppScan, and you
can s a v e a re p o rt as a file to be opened widi a tlurd-party application.
21. To generate a report, select T o o ls
appears.
-> R epo rt...,
The C re a te
R epo rt
window
m
H ie Industry
Standard Report reports
the compliance (or noncompliance) o f your
application with a selected
industry committee or your
own custom standards
checklist.
c a The Template Based
Report is a custom report
containing user-defined
data and user-defined
document formatting in
Microsoft W ord .doc
format.
F IG U R E 2.16: IB M Rational AppScan Report Option window
22. Select die type of report to generate, check options, and click
S ave
R epo rt...,
1 *1־
wcurity
S
e
J2
>
ids r S a d r
nu t y t n a d
Rgltr C m l a e
e u a o y o p i nc
A
D l aA a y s
et n J i
M
( r p a eB s d
erit a e
m
The Delta Analysis
report compares two sets
o f scan results and shows
the difference in U RLs
and/or security issues
discovered.
m
The Regulatory
Compliance Report: It
reports on the compliance
(or non-compliance) o f
your application with a
large choice o f regulations
or legal standards or with
your own custom
template).
F IG U R E 2.17: IB M Rational AppScan Create Report window
23. Save die report to die desired location. The saved report will be helpful for
future guidance.
Lab Analysis
Analyze and document the results related to the lab exercise. Give your opinion on
your target’s security posture and exposure.
C E H Lab Manual Page 800
Ethical Hacking and Countenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
21. M odule 14 - S Q L In jectio n
Tool/Utility
Information Collected/Objectives Achieved
IBM Security
AppScan
PLE A SE
TA LK
TO
■ SQL Injection attack detected
Y O U R IN S T R U C T O R IF Y O U
R E L A T E D TO T H IS LAB.
H A V E
Q U E ST IO N S
Questions
1. Analyze how to speed up die scanning process and reduce the number of
pages that IBM Rational AppScan tinds.
2. Evaluate whether it is possible to perform scans against live production
environments with IBM Rational AppScan. Will that cause damage or hurt
the site?
3. Analvze how variables can be implemented 111 a multi-step sequence with
IBM Rational AppScan.
Internet Connection Required
0 Yes
□ No
Platform Supported
□ !Labs
C E H Lab Manual Page 801
Ethical Hacking and Countemieasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
22. M odule 1 4 - S Q L In jectio n
T e s t i n g for S Q L
Injection U s i n g
W e b C r u i s e r T o o l
I C ON
KEY
/ Valuable
information
WebCmiser - Web Vulnerability Scanner i an e f c i eand'powerfuln׳b
s
fetv
e
penetration t s i gto thatwillaidyou in auditingjourw b i e It has a
e t n ol
est.
Vulnerability Scanner and a s r e of s c r t t os
eis
e u i y ol.
Test your
knowledge
s
Web exercise
d G Workbook review
Qfe
Lab Scenario
A deeper understanding of detecting SQL injection attacks using the IBM
Security AppScan too was examined 111 the previous lab. 111 this lab we will have
a look at a real case scenario where SQL injection attacks were implemented to
steal confidential information from banks.
Albert Gonzalez, an indicted hacker, stole 130 million credit and debit cards,
the biggest identity theft case ever prosecuted in the United States. He used
SQL injection attacks to install sniffer software on the companies' servers to
intercept credit card data as it was being processed.
He was charged for many different cases
utilized were:
111
which the methods of hacking
■ Stmctured Query Language (“SQL”) was a computer programming
language designed to retrieve and manage data on computer databases.
■ “SQL Injection Attacks” were methods of hacking into and gaining
unauthorized access to computers connected to the Internet.
■ “SQL Injection Strings” were a series of instructions to computers used
by hackers 111 furtherance of SQL Injection Attacks.
■ “Malware” was malicious computer software programmed to, among
other diings, identity, store, and export information on computers that
were hacked, including information such as credit and debit card
numbers and corresponding personal identification information of
cardholders (“Card Data”), as well as to evade detection by anti-virus
programs running on those computers.
As an expert s e c u rity p ro fe s s io n a l and p e n e tra tio n t e s t e r you should have a
complete understanding of SQL injection attack scenarios and list high=risk
C E H Lab Manual Page 802
Ethical Hacking and Countermeasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
23. M odule 1 4 - S Q L In jectio n
components and note entry points to start testing and exploring. Hence, as
another aspect 111 SQL Injection testing, in tins lab you will be guided to test for
SQL injection using the WebCruiser Tool.
Lab Objectives
&
Too ls
d e m o n s tra te d in
The objective of tins kb is to help students learn how to test web applications for
SQL injection direats and vulnerabilities.
111 tins kb,
th is lab a re
a v a ila b le D:CEHToo lsC E H v8
M o du le 14 SQL
you will learn to:
■ Perform website scans for vulnerabilities
■ Analyze scanned results
In je c tio n
■ Fix vulnerabilities 111 web applications
■ Generate reports for scanned web applications
Lab Environment
m
You can download
WebCruiser from
http://sec4app.com/downl
oad
To earn ־out die kb, you need:
"
W e b C ru iser
located at D:CEH -ToolsC EHv8
M o du le 1 4 SQL ln jectio n S Q L
In je c tio n D e te c tio n ToolsVW ebCruiser
■ Run tliis tool 111 Window Sender 2012
■ You can also download the latest version of
http:/ / sec4app.com/download.htm
m
W e b C ru is e r
To produce timeconsuming SQ L sentence
and get infom iation from
■ A web browser with Internet access
die response time
from the link
■ Microsoft .NET Framework Version 4.0 or later
Lab Duration
Time: 20 Minutes
Overview of Testing Web Applications
Web applications are tested for implementing security and automating vulnerabilitY
assessments. Doing so prevents SQL injection attacks on web servers and web
applications. Websites are tested for embedded malware and to employ multiple
testing techniques.
TASK
1
T e s tin g W eb
A p p lica tio n
Lab Tasks
1. To launch WebCnuser 111 your Windows Sen־er 2012 host machine,
navigate to D :CEH -ToolsC EHv8 M o du le 1 4 SQL ln jec tio n S Q L In je c tio n
D e te c tio n ToolsVWebCruiser.
2. Double-click W eb C ru iserW V S .e xe to launch it.
C E H Lab Manual Page 803
Ethical Hacking and Countemieasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
24. M odule 1 4 - S Q L In jectio n
_
WebCruiser - Web Vulnerability Scanner Enterprise Edition
File
Tools
View
Configuration
J & t A & Browser
□
X
Help
Scanner
SQL
(j>XSS
d Resend L J Cootie
fllta Repcrt
© Setting
& Scan Site | £ |נScan URL
| GT
E
URL:
- c ....
I Wb ro s r uJ Re n
e B we
ee d
I ₪V
Jrorab S a n r
lty c n e
P C ro f OC n e
O (F o f c c p
SQ
Lhecion ^
j O ^ ® St®S rip
0 * c tir
A w nE ^
tfm raw nts
S T
/s*en 06
{- & R o n T o
eccoJ
iy=H Scanning is not
necessary for S Q L
Injection PO C , you can
launch PO C by input the
URL
directly, or launch from the
Scanner.
WebCruiser support:
* G ET/Post/Cookie
Injection;
* SQ L Server:
Plai Text/FieldEcho(Unio
n)/Blind Injection;
* M ySQL/DB2/Access:
FieldEcho(Union) /Blind
Injection;
* Oracle:
FieldEcho(Union) /Blind/C
rossSite Injection;
h t t p : w w w .ia nu sec com
H CootoeTool
CodeTool -SbmgTtx •,*
Setongs
Repcrt
■׳
&
W ebC ruise r - W e b V ulnerability Scanner
h ttp :'׳sec4app.com
http ; '׳tw itte r .c o m ׳janusec
£
Q fo ji 1
o
11
F IG U R E 3.1: WebCruiser niaiii window
Enter die URL diat you want to scan; 111 tins lab we are scanning
h ttp ://1 0 .0 .0 .2 /re a lh o m e / (dns IP address is where die realliome website is
hosted).
| ־ ־ar
WebCruiser - Web Vulnerability Scanner Enterprise Edition
File
J 4j|
ט
WebCruiser Web
Vulnerability Scanner for
iO S, an effective and
convenient web penetration
testing tool diat w ill aid you
in auditing your website!
WebCruiser can find the
following web
vulnerabilities currently:
* G E T SQ L Injection(Int,
String, Search)
* PO ST S Q L Injection(L t,
String, Search)
* Cross Site Scripti g(XSS)
Tools
View
0 Browser
Configuration
Scanner
Help
E l SQL
(J>XSS
r f Resend [ J Cookie
Sic Report
Setting
U L h r'/'O .O^rM
R : tlp O
lhorre/ |
I Wfc ro * r ,_ R o n
« B w« יןo o d
y
Sa nr
cne
| U i Scan Site | La] Scan URL
| GT
E
•SQO
^cbt
J nk)
r
H 4 2 PX(Ftoof or Ccncep
SQL ln»8crion 3
Q CosSteS n tir ;
rs
cp
AOiw straionEntt
S/sJenToo ^ -.
r r f RcsotcTooJ
CootoeTool
CodeTool 1 - 0 |
* ךSlingTx =2
Settings }£ <
<■
W ebC n use r - W e b V ulnerability Scanner
http: sec I a p p .com
http : /־w w w ianusec com
־
h ttp .' tw itter .co m januscc
Ldi |
fiooJL
1
11
m
It can support
scanning website as well as
PO C (Proof o f concept)
for web vulnerabilities:
S Q L Injection, Cross Site
Scripting, X Pad i Injection
etc. So, WebCruiser is also
an automatic SQ L injection
tool, an X Pad i injection
tool, and a Cross Site
Scripting tool!
C E H Lab Manual Page 804
F IG U R E 3.2: WebCruiser Scanning a site
4. A software disclaimer pop-up will appear; click .OK to continue.
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
25. M odule 1 4 - S Q L In jectio n
ו ל ן
Confirm
* Software Disclaimer:
* Authorization must be obtained from the web application owner;
* This program will try to get each link and post any data when
scanning;
* Backup the database before scanning so as to avoid disaster;
* Using this software at your own risk.
* Login as a legal user will help you find vulnerabilities to the most
extent.
* But not login is better if you intend to scan the login/authentication
page.
* Continue?
OK
m
System Requirement:
.N E T FrameWork V2.0 or
higher, you can Download
.N E T FrameWork V2.0
From Microsoft.
Cancel
F IG U R E 3.3: WebCruiser Software Disclaimer pop-up
WebCnuser starts with die URL scan as shown in die following screenshot.
It shows Site Stmcture, and die following table is vulnerabilities.
WebCruiser - W eb Vulnerability Scanner Enterp-ise Edition
File
Tools
View
Configuration
! 9 Browser 2
URL:
I S
a g
}
R
Help
3
SQL
^X SS
Resend
Cootie
fjfio Report
Setting
http:V10.0.0.2/realhome/'
: © WebBowser
־
H U S Q L injection is a
code injection technique
that exploits a security
vulnerability occurring
in the database layer o f an
application.
Scanner
Vjlrcrabfit) Scanner
P3C(Fro«< Of Ccncep
SOL lnie<
?ion 9
O
Stc Scnptir
1 I AOnrwtrabcn&ts
־
SyslenTooi
t f ReacncTod
ootaeTool^
CodeTool
SUngTod
Settwgj
flSo Report
<
&
12
^ Scan Site
j GET
Scan Current Site
Scan Current URL
Scan Multi-Site
Reset/Clear Scanner
Import
( 3 Scan URL
» H
(D Q
Export
[*query tpsyj
... DD_belotcdPNG_0 0.801* רווזj
B ״Heal Hom
e
WebRM31rr# Jwd7d«U87Vtyn1 bWv;KDK>ArM3־RCS(bewioXwO^FaXP'ivRTkj1PbAWFf7hOM9u
M7
WebResauce .«d
Logn.aspx
}■׳Index aspx
׳
H ׳Js
jquery triggerjs
■ rcd*-«ld ]-[
«
jqueiy.scrolTo-1.3 3 ^«
I ©. w
URL / Refer URL
Para־
nete<
http J f 0.0.0 2/realhome/Lcgm aspx' 31rton2=L>.. Tex!30x29־
O http7/10 0 0 2/Real Home/Loflin asox^Bjttor2=l
Texltkw29־
<[
<r
_
__
_
Stmg
Stma
KeyWord/Action URL
fbat
float
Vulnerability
POST SQL INJEC
POST SQL INJEC
II
<־
Checking Form Vul: http//10.0.0.2/RealHome/property.aspx
HTTP Thread: 4
1QQ The vulnerability is
present when user input is
either incorrectly filtered
esLpe characters
F IG U R E 3.4: WebCruiser Scanning Vulnerabilities
6.
Right-click each of the vulnerabilities displayed 111 the scan result, and dien
V ° U C a ll laUllcll SQL Illje C t lO ll POC (Proof of Concept).
embedded in S Q L
statements or user input is
not strongly typed and
thereby unexpectedly
executed.
C E H Lab Manual Page 805
Ethical Hacking and Countemieasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
26. M odule 1 4 - S Q L In jectio n
W e b C ru ise r ־W e b V u ln e ra b ility Scanner E n te rp rise E d itio n
File
J
Tools
J
J
LfU:
View
Configuration
0 Browser Q Scanner
ViebBrowse'
A in ef^ity Scanner
POCPracr Of Corcep
; 3 SQ_ hjectbn
Q Cross 5«e 5cnptn
1 J l AdnirwbationErtr
SjstemTool
h r f Resend’ ool
; S CookeToo
_ CodeTool
»&־StmgTod
& r Setngs
A Report
S
-< >
5
j
~JXSS
1 Resend E J Cookie yh, Report
^J
Q Setting
Q Scan Site | £ Scan URL
http:// 13.0.012/realhome/
O
It is ail instance o f a
more general class o f
vulnerabilities
that can occur whenever
one programming or
scripting language is
embedded inside
another. SQ L Injection is
one o f the most common
application layer attack
techniques
used today.
Help
| j *QL
1
@
GET
s c a r Current Site
Scan Current URL
Scan Multi-Site
Reset/Clear Scanner
Import
״B O □
E>port
j-jquery.ilpsy.js
DD_belatedPNG_00.3a-mh js ~ 5
ReaiHome ■
3
WbR s uc .a dd U Z y f1b hK 5 A- ־r R 3 ow X K R X YR fc F A ^ h Miu k H v VV ־c
e eo r e x ? = 5 Wm c b c Dp |M3 D (b » o A )2 o p v T j1 b V 7 O 9 Og OiH OG
!•■Web Resource.axd
־
I- Login aspx
nefexaepx ;
־J
S
j-jauety.trigger.js |
coda-«lider I ״jqueor.scrollTo-1.3.3js
URL / Rrfw URL
Typ*
v e w im
Ohtlpj/IO.O.O.Z'RealHome/Looinaspx"Bjlt5n2«L . T©dB0*2«9
Snrq
K*yWerd ,Action URI
Vuh#rability
Copy URL To ClipBoard
SQL INJECTION POC
Delete Vulnerability
_A
F IG U R E 3.5: WebCmiser SQ L Lijection PO C (Proof of Concept)
7. Tins will launch the SQL injection and till die relevant fields. Click G et
E n viro nm en t In fo rm ation .
W e b C ru ise r - W e b V u ln e ra b ility Scanner En te rp rise E d itio n
File
J
fools
0
±5 i i
URL:
'/1ew
Configuration
0 Browser Q Scanner
Help
ffSQL
j>XSS
i i ’ Resend 2 Cookie
Report
Setting
htt9://10.0.G.2'realhome/Login.aspx
0 Scan Site
| POST
Q Scan URL
״EJ I Q
D
Data !utt<n2=U{1tA_!V!1nTAROET=A_EVEJfrAROUNEJfr=A_VIEWSTATE=/wEPMMfTWK1l11m0»2FitkWu״F.T7«kkr2/je6z8jkyiIu*cE=«_EV'EH |>
DataBase: UnKnown ▼ KeyWord: float
. y
:־
m
Injection Type String
▼| Reset
A*»nfe*y$e*rYW
- ; Environment g l DataRa* ] □
Canmmd ] Q ] FfcR#*d״r J J ? H*Lpl6ad«f I ® Jtm gEneod#Of® Debug |
POC<P־
ocf j Conccp
a SGL hector
Cress Sie Senptn ^
.idTwwfrabonEntr“ 2 —
•
E - © SrstsrrTcol
I
^esendTool
Q CoskeTocI
CoieTool
StmcTcol
There are many
methods to getting data in
S Q L Injection, but not all
these methods are
supported in an actual
penetration test.
H fii ^eoort
L @ About
!
I Get Environment Information
Get Environment Infomaticn
HTTP Thread: 0
F IG U R E 3.6: WebCruiser SQ L Injection PO C Tool
8.
It will display die environment information where die site is hosted.
Lab Analysis
Analyze and document die results related to die lab exercise. Give your opinion on
your target’s security ־posture and exposure.
Tool/Utility
WebCruiser
C E H Lab Manual Page 806
Information Collected/Objectives Achieved
■ SQL Injection Detected
Ethical Hacking and Countenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
27. M odule 14 - S Q L In jectio n
PL EASE T A L K T O YO UR I N S T R U C T O R IF YOU H A V E Q U E S T I O N S
R E L A T E D T O T H I S L AB.
Questions
1. Analyze how to speed up die scanning process and reduce die number of
pages die IBM Rational AppScan finds.
2. Evaluate whether it is possible to perform scans against live production
environments with IBM Rational AppScan. Will that cause damage or hurt
the site?
3. Analyze how variables can be implemented 111 a multi-step sequence with
IBM Rational AppScan.
Internet Connection Required
□ Yes
□ No
Platform Supported
0 Classroom
C E H Lab Manual Page 807
0 1Labs
Ethical Hacking and Countemieasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
28. M odule 1 4 - S Q L In jectio n
T e s t i n g for S Q L
Injection U s i n g
N -
Stalker T o o l
I C ON
KEY
/ Valuable
information
S Test your
knowledge
s Web exercise
A ]-Stalker Web Application Security Scanner 2012 i a sop st at Web Security
s
hi ic ed
Assessment s l t o foryour web a p i a i n . By incorporating t e well-known “
ouin
plctos
h
NStealth H T T P Se ri Scanner” and i s39,000 Web Attack Signature database
cu ty
t
along with a patent-pending component-oriented Web Application Se ri
cu ty
Assessment t c n l g , N-Stalker i a “
ehooy
s
must hare” s c r t t o t d v l p r ,
euiy o l o eeoes
system/s c r t adm st to , IT a d t r , and s a f
e u i y ini ra rs
uios
tf.
Lab Scenario
dGeWorkbook review
Qf
111 the previous lab you examined how to use the Webcruiser tool to scan a
website as well as POC (Proof O f Concept) for web vulnerabilities: SQL
injection.
Few attackers perform SQL injection attacks based on an “error message”
received from the server. If an error is responded from the application, the
attacker can determine the entire structure of the database, and read any value
that can be read by the account the ASP application is using to connect to the
SQL Server. However, 11 an error message is returned from the database server
complaining that the SQL Query’s syntax is incorrect, an attacker tries all
possible True and False questions through SQL statements to steal data.
&
Too ls
d e m o n s tra te d in
th is lab a re
a v a ila b le D:CEH-
As an expert s e c u rity p ro fe s s io n a l and p e n e tra tio n t e s t e r you should be
familiar with the tips and tricks used 111 SQL injection detection. You must also
be aware of all the tools that can be used to detect SQL injection flaws. 111 this
lab you will learn to use the tool N-Stalker to detect SQL injection attacks 111
websites.
T oo lsC E H v8
M o du le 14 SQL
In je c tio n
Lab Objectives
The objective of tins lab is to help sUidents learn how to test web applications for
SQL Injection threats and vulnerabilities.
111 diis lab, you will learn
to:
■ Perform website scans for vulnerabilities
C E H Lab Manual Page 808
Ethical Hacking and Countenneasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited.
29. M odule 14 - S Q L In jectio n
■ Analyze scanned results
■ Fix vulnerabilities 111 web applications
■ Generate reports for scanned web applications
Lab Environment
ca
You can download NStalker from
http://www.nstalker.com/
products/editions/free/do
wnload
To earn ־out die lab, you need:
■
N -S ta lk e r
located at D :CEH -ToolsC EHv8
M o du le 14 SQ L lnjectio n S Q L
In je c tio n D e te c tio n T o o ls N -S ta lk e r W eb A p p lica tio n S e c u rity S c a n n e r
■ Run tliis tool 111 Window Server 2012
■ You can also download the latest version of N -S ta lk e r from the link
http://www.11stalker.com/products/editions/ free/download
■ A web browser with Internet access
m
Founded upon die
U.S. Patent Registered
Technology o f
Component-oriented Web
Application Security
Scanning, N-Stalker
Enterprise Edition allows
for assessment o f Web
Applications
■ Microsoft .NET Framework Version 4.0 or later
Lab Duration
Time: 20 Minutes
Overview of Testing Web Applications
Web applications are tested for implementing security and automating vulnerability
assessments. Doing so prevents SQL injection attacks on web servers and web
applications. Websites are tested for embedded malware and to employ multiple
testing techniques.
TASK
1
T e s tin g W eb
A p p lica tio n
Lab Tasks
1. To launch N-Stalker move your mouse cursor to die lower-left corner of
your desktop and click S tart.
m
N-Stalker W eb
Application Security
Scanner 2012 Enterprise
Edition provides the most
complete and effective
suite o f W eb Security
assessment checks to
enhance the overall security
o f your W eb Applications
against a wide range of
vulnerabilities and
sophisticated hacker
attacks.
C E H Lab Manual Page 809
Wos<r0Rc5Cda Ocn
id Sfe22c*ea i t a cl
nw v 1 t nde U ;
י יס י י^ז
F IG U R E 4.1: Windows Server 2012 Desktop view
2. Click die N -S ta lk e r F re e
2012
app to launch it.
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
30. M odule 1 4 - S Q L In jectio n
Start
A d m in is tra to r £
CcrrpUer
Modb
Firefox
Google
Chrome
Command
N-Stalker also allows
you to create your own
assessment policies and
requirements, enabling an
effective way to manage
your application’s SD LC ,
including die ability to
control information
exposure, development
flaws, infrastructure issues
and real security
vulnerabilities that can be
explored by external agents.
T«i
Manager
*J
m
*
Notepad+
o
&
'י ״ ״0 ״
!פ
i
KOn*net..״
Hyper V
N Stalker
Free2012
'<■
91
W
—
F IG U R E 4.2: Windows Server 2012 Start menu Apps
3. Click die U p d a te button to update die N-Stalker database in die main
window of N-Stalker as shown 111 die following screenshot.
*
«*
-4
z
& ־tf ■
a
״
-Stalker
bouyM aK Src
l er i ligt c o o
t
n
ט
W eb Security
Intelligence Service (W SIS)
is provided by W S I Labs
and w ill ensure you always
get the latest updates
available for N-Stalker Web
Application Security
Scanner as well as for its
attack signature database.
N ew 0-day exploits and
common vulnerabilities w ill
be added on daily or weekly
basis, giving you the ability
to scan you W eb Server
infrastructure periodically
against the latest threats.
F IG U R E 4.3: N-Stalker Main window
4. A software disclaimer pop-up will appear. Click O K to continue.
ך* ■־׳זי
N SfafcerWeb
°
• ;£ £ £ £
* ז־r
Gj MM IW
O U
O U
K
^
- :6<
- *»
- ׳
•
** *
Niun eoo
- ir ״et nr
N1dfSaihlmjwfitt*e nbb
-ldpeau•d'rtLoadtns
SkASsctfem c nwe« n
U Ui.* ri ay mn n v
c I t t t ae f
< ||יteCm!I fo cMjs
_ puwmr•d i cjt
»6«» o c t
r
o
0
c ׳
c
Pn*V T HTJ0
t e5I O3- )
x 1 WW
0
—■
1
Emda ma »
m•ne o w
• ot
(
«
1
m
. גJF
Kt eP•di n1
tJllt r r Eio
• t
-Stalker
W 1 »גMIym5v•
ill .» ןןHi * * i
1e
System Requirement:
.N E T FrameWork V2.0 or
higher, you can Download
.N E T FrameWork V2.0
From Microsoft.
i
M
e
t
h
e
t
1 « 1
F IG U R E 4.4: N-Stalker Free Edition pop-up
5.
C E H Lab Manual Page 810
N -S ta lk e r
will start updating the database; it will take some time to update.
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
31. M odule 14 - S Q L In jectio n
(MR OHM
m
toSecurity latclqotics same*
*!*״T.,
1
• 128MB R A M (available to
N-Stalker)
״.,., ״ ״ ״
»n
o»
3rxwtrPK*aw1wto **י״
d CwW
•A t least 500MB Hard
Disk free space (caching
purposes)
10IH
H i IN K ■ ■
SWrt * B n
<t
4
I“ - —
! - *—
1
INH
j.
b S***»V»,WNOr '!»»«
IMH
0%
1
I
•Win32 Platform (W in
2000, X P , 2003 or Vista
and later)
•Internet connection to
download N-Stalker
database/software updates
N-Bt1lk«r PrM feanior E
-Stalker
To run N-Stalker
W eb Application Security
Scanner appropriately,
there are minimum
requirements to be met:
F IG U R E 4.5: N-Stalker database updating status
6.
After updating is complete, click S ta rt to start a new scanning session.
^
o
-
ם
x
-Stalker
WbSc te U lk noSf «
e euf r te ie c «v
m
You may modify NStalker's cache options to
avoid web pages from
being permanendy stored
in }־
our hard disk. This
might be useful to preserve
disk space on large
assessments
C E H Lab Manual Page 811
F IG U R E 4.6: N-Stalker database updated
7.
111 N -S ta lk e r S ca n W izard,
enter die URL as h ttp ://1 0 .0 .0 .2 /re a lh o m e / (tins
IP address is where die realliome website is hosted).
8.
Set die S can
P o licy
as OW ASP
Policy,
and click N ext.
Ethical Hacking and Countemieasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
32. M odule 1 4 - S Q L In jectio n
N-Stalker S nW
ca izard
Start W Application Security Scan Session
eb
־m
You m ust enter an URL and choose policy Scan Settings may be configured
»r Web Application U L
R
m
To run N-Stalker
Scanner from command
line, you w ill need a scan
session policy that w ill
contain policies, host
information and specific
configurations needed to
run the entire session.
[3 ] |http://1 0 .0.0.2/real1ome/
(E http://W w pte.tl'. https, w wtest U rt-alD
.g:
w .exam
w
V irectory.. etc)
Choose Scan Policy
| Choose URU Policy
Optmze Settings
j£l
Load Scan Session
Review Sum ary
m
-
!31(Yumay toadscan settm Sfromprevousty saved scan lessens)
o
Q
Start Scan Sesson
Load Spider Data
(Yum to sprier data fromprevcusiy saved scan sessions)
o ay ad
□ Use local cache from preveusly saved sesson (Avoid new web crawling)
F IG U R E 4.7: N-Stalker Choosing U R L and Policy
9. Click .Y es 111 die UR I
c a N-Stalker H T T P
Brute Force tool does what
the name says. It is an
H T T P authentication brute
force tool that works by
taking a web macro and
attempting to run a series
o f authentication requests
to obtain valid credentials
(you may provide your own
user and password list).
R e stric tio n Found
pop-up to continue.
---------- 3
URI Restriction Found
You have provided the following page/directory pattern:
[/realhome/]
Do you want to restrict your scan to the above directory only?
Yes
(I
No
F IG U R E 4.8: N-Stalker U R I Restriction Found pop-up
10.
111 Optimize
Settings, click N e x t to continue.
N-Stalker S nW
ca izard
Start W Application Security Scan Session
eb
You m ust enter an URL and choose policy. Scan Settings may be configured
Optimizing Settings
|http://10.0.0.2/reatx)me/
(Yum choose toru a senes of tests toalowfor optm
o ay
n
aation or cbckN tooontnue)
ext
m
N-Stalker Web Proxy
is a combination o f web
proxy and H T T P
inspection tool. It includes
a full W eb Proxy support
(for external browsers)
along with an event-driven
interception mechanism,
that allows you to inspect
H T T P communications
(even SSL) based on
keyword matching.
Choose U L&Pobcy
R
O ize Results Authentication
ptim
Optimization Progress
False Postive
Engm
e
M
iscellaneous
Optimize Settings
Review Sum ary
m
Start Scan Session
Press ־Otim tooptim scan settrtg
p ize"
ize
Optimization Results
Avg Response
|Scan Settings j
Optimize
Conn Failures
־Back
Cancel
N ג
ext
F IG U R E 4.9: N-Stalker Optimize Settings
11. Click Y e s in die O p tim ize
C E H Lab Manual Page 812
S e ttin g s
pop-up.
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
33. M odule 1 4 - S Q L In jectio n
m
S e t t in g s
The term "G H D B "
was allegedly coined by
Johnny Long, which started
to maintain a number of
"google-based" queries that
would eventually reveal
security flaws in websites
(without one having to scan
the site directly for that
vulnerability).
N o t O p tim iz e d
You haven't optimized your scan settings yet
but we strongly recommend you to do that.
Do you want to continue anyway?
!....... Yes........1
No
F IG U R E 4.10: N-Stalker pop-up
12. On die R e v ie w
S u m m a ry
tab, click S ta rt
S ession
to continue.
X
N-Stalker S nW
ca izard
Start W Application Security Scan Session
eb
You m ust enter an URL and choose policy. Scan Settings may be configured
Review Summary
m
This is a string
encoding tool which is
useful to encode/decode
data on multiple formats
used by W eb Applications.
|http://10.0.0.2/reaJhom e/
Scanning Settings
Choose URL & PoScy
Optmze Settings
Review Summary
Start Scan Sesson
*
•»
•
•»
•»
<
*
•»
•»
Scan Setting
Host Inform
ation
Restricted Directory
Policy N e
am
False-Positrve Settings
New Server Dacovery
Spider Engine
H M Parser
TL
Server Technologies
Alowed Hosts
Value
[10.0.0.2] Port: [80] SSL: [no]
/reahome/
O A Policy
W SP
_
Enabled for M pie Extensions Enabled for 404 pages N
uK
!
Enabled (recommended מmost cases)
M U Ls [500] M Per Node [30] M D [0
ax R
ax
ax epth ]
JS [Execute/Parse] External JS [D JS Events [Execute
eny]
N
/A
N addtonal hosts configured
o
v
P:
Scan Settings
« Back
Cancel
Start Session
F IG U R E 4.11: N-Stalker Review Summary
13. The N -S ta lk e r
continue.
F re e Edition
pop-up displays a message. Click
OK
to
N-Stalker Free Edition
ט
This is a Web Server
Discovery tool which w ill
attempt to discover H T T P
servers and fingerprint
them to obtain their
platform version. It might
run based on a file list or IP
range.
N-Stalker Free Edition has a restriction to crawl only the first
500 pages within the same scan session. For more information
about our Commercial Edition, please, contact us:
E-mail: sales@nstalker.com
Phone: +55-11-3675-7093 (GMT-0300)
F IG U R E 4.12: N-Stalker Free Edition pop-up
14. Click S ta rt
C E H Lab Manual Page 813
S can
after completing die configuration of N-Stalker.
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
34. M odule 1 4 - S Q L In jectio n
m
Google Hacking
Database (G H D B ) Tool is
a unique application that
w ill allow you to search for
"google-like" queries within
a saved spider data. NStalker, G H D B Tool can
be invoked by clicking on
"G H D B Tool" button
under "Miscellaneous
Tools":
15. You can view scanning details as shown in the following screenshot.
ca
H T T P Load Tester is
a performance tester tool.
It w ill run a Web Macro on
a concurrent basis (up to
you to decide how many
instances) and w ill provide
a report on number of
connection failures and
success.
F IG U R E 4.14: N-Stalker Start Scan Status
16. N-Stalker will scan die site widi four different mediods.
m d Macro Recorder is a
tool to manage "W eb
Macros" within N-Stalker
W eb Application Security
Scanner.
F IG U R E 4.15: N-Stalker Scanning methods
17.
C E H Lab Manual Page 814
111
the left pane, die W e b s ite tree displays die pages of the website.
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
35. M odule 1 4 - S Q L In jectio n
m
"W eb M acro" is a
user-provided navigation
script that is usually
recorded using a web
browser and a web proxy
tooL Macro Recorder
allows you to insert manual
U R Ls as well and you must
choose between an
authentication or
navigation macro.
F IG U R E 4.16: N-Stalker Website Tree
18.
m
111 R esu lts W izard,
select the relevant options as shown
111
die following
screenshot and click N e xt.
A n authentication
W eb Macro is used to
authenticate N-Stalker's
against W eb Forms or any
other o f user interaction
based authentication.
Results Wizard
Scan Session has finished successfully.
N-Stalker found 12 vulnerabilities
Session Management Options
| ♦ Save scan results |
O
Discard scan results
N e xt S te p s
Total Scan Time
0 Hour(s) 4 Hinute(s)
O Close scan session and return to main screen
□
Total Vulnerabilities
High:
0
Medium: 0
Low :
2
Info:
Open N-Stalker Report Manager
® |<eep scan session fo r fu rth e r analysis]
10
F IG U R E 4.17: N-Stalker Results Wizard
19
As applications
provide both a mean to
login and logoff,
Authentication Macros
have a "logout detection"
control that can be
configured to prevent
accidental logoff.
C E H Lab Manual Page 815
. שN-Stalker displays the summary of vulnerabilities. Click Done.
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
36. M odule 1 4 - S Q L In jectio n
Results Wizard
m
Scan Session has finished successfully.
llv.
N-Stalker found 12 vulnerabilities
m
A navigation Web
Macro is used to provide a
specific path within the
application to be followed
by N-Stalker's spider
engine.
Summ ary
Application Objects
Total Scan Time
0 Hour(s) 4 Minute(s)
Total Vulnerabilities
High:
0
Medium: 0
Low :
2
Info:
10
A
Count
Total Web Pages
High Vulnerabilities
Medium Vulnerabilities
Low Vulnerabilities
Info Vulnerabilities
Total Hosts Found
Total HTTP Cookies
Total Directories Found
Total Web Forms Found
Total Password Forms
Total E-mails Found
Total Client Scripts
8
0
0
2
10
1
0
0
=
3
0
0
9
___________ 3
_________
Your request has been successfully processed.
|
m
W hen you are
generating reports, NStalker allows you to
customize template and
data that w ill be used to
generate the final report.
Both executive and
technical reports allow for
that customization.
Done
F IG U R E 4.18: N-Stalker Summary
20. You can view die complete scan results of die URL 111 the main dashboard
ot die N -S talker.
Applicotio■׳Scojnty Seancr2012־ ־rec Ldition
*
<v
'
----
1
J.
&
Gooo* Maeknc n«*j!b*a# (GHO0) Signature Found
• 0 >&׳m0 Mo « .0n1
!» » 1 D 0 > » n4 « a 0
m
These macros can use
any U R Ls and w ill not be
prevented from calling
external services within NStalker's spider engine.
F IG U R E 4.19: N-Stalker Dashboard
Lab Analysis
Analyze and document the results related to die lab exercise. Give your opinion on
your target’s security posUire and exposure.
Tool/Utility
N-Stalker
C E H Lab Manual Page 816
Information Collected/Objectives Achieved
Scan session successfully processed with 12
vulnerabilities detected
Ethical Hacking and Countenneasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
37. M odule 14 - S Q L In jectio n
PL EASE T A L K T O YO UR I N S T R U C T O R IF YOU H A V E Q U E S T I O N S
R E L A T E D T O T H I S LAB.
Questions
1. Analyze how to speed up die scanning process and reduce the number of
pages the IBM Rational AppScan finds.
2. Evaluate whether it is possible to perform scans against live production
environments with IBM Rational AppScan. Will that cause damage or hurt
the site?
3. Analyze how variables can be implemented 111 a multi-step sequence with
IBM Radonal AppScan.
Internet Connection Required
□ Yes
□ No
Platform Supported
0 Classroom
C E H Lab Manual Page 817
0 1Labs
Ethical Hacking and Countemieasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.