For this lab you’ll need
- A Ubuntu VM with a LAMP stack installed.
- The LAMP stack install directions are here.
- A Kali Linux VM
In this lab, we will:
- Create a simple PHP server that allows an end user to:
- Log in using a username/password stored in a MySQL database.
- We’ll exploit the application manually.
- We’ll automate the process with SQLMap
- We’ll implement input sanitization to protect against the attack.
If you pay attention to IPPSEC’s methodology when he approaches web applications on HackTheBox, you’ll find that one of the earliest checks he’ll perform against user-controlled webpage forms is to see whether or not SQL error messages can be generated.
- If user input submitted to a back-end database throws an error, he’ll try to exploit the condition to pull information out of the database that would otherwise be protected.
- Many times, this will result in username/password disclosure.
If you are comfortable with the processes demonstrated in this lab, you should be able to eyeball any pertinent questions on the Security+ exam related to SQL injection or the sqlmap program.
Let’s start with a simple login form. Create a webpage in /var/www/html called login.html and paste the following:
cd /var/www/html
pico login.html
<form method="post" action="action.php">
Your Username:
<br>
<input type="text" name="username">
<br>
Your Password:
<br>
<input type="text" name="password">
<br>
<input type="submit" value="Submit">
<br>
Here, we have a form that allows the user to type a username/password (both visible in plaintext), and it submits the information via a POST request to action.php.
Our action.php will need to do the following:
- Read in the username and password, passed in via POST parameters.
- Submit the username/password to a database to validate
- If the username/password matches a combo in the database, we’ll print it back to the user.
- If the username/password doesn’t match anything in the database, we’ll print a ‘login incorrect’ message.