The following video demonstrates the manual exploitation of blind SQL injection vulnerabilities in DVWA, followed up by a quick crack of the stolen hashes with John the Ripper.
Important note 1: You must set DVWA’s security to medium for the function to be exploitable, as the high security level cannot be exploited, IMO.
Important note 2: On the medium security setting, the PHP function mysql_real_escape_string is used to prepend backslashes to the following characters: \x00, \n, \r, \, ‘, ” and \x1a. This means the SQL server will interpret single or double quotes as text (names actually) rather than special characters which encapsulate a string. It is necessary then to enter any text requiring quotes, most likely in a where clause, as their ASCII hex-encoded equivalent. For example:
1 and 1=0 union select table_name, column_name from information_schema.columns where table_name='users' becomes:
1 and 1=0 union select table_name, column_name from information_schema.columns where table_name=0x7573657273
Sorry, but the end of the video gets cut off a bit. Following the exploit, I crack the stolen MD5 hashes w/ JTR with using the command:
john --format=raw-MD5 dvwa_hashes
For best results watch in fullscreen, HD. Enjoy!…
Posted by Dennis Antunes.
If you are in the Boston-area, and would like to learn this and much more in a hands-on situation, I’ll be mentoring the SANS 542 Track: Web App Penetration Testing and Ethical Hacking beginning 4/13/2011. Contact me: stratmofo at gmail dot com directly for special discount.