Posted in Penetration Testing, web app testing

Seattle v0.3 – Vulnhub VM

Over at Vulnhub.com you will find a large selection of vulnerable Virtual Machines to download and play around with. By far the safest way to test your newly learned skills. For the next few days I’ll be working on the VM created by HollyGraceful.

The link to the VM is here

Seattle Sounds website

LoginPage

There are several links on the site upon opening. ‘Vinyl’ takes you to a collection of old records and ‘Clothing’ takes you to a small collection of T-Shirts. The ‘My Account’ link takes you to the page in the image above. You are presented with some helpful information.

You must login to the site using an email address. Lets try it out for feedback.

LoginPage1

Username=’test@test.com’ & password=’test’

LoginPage2

No Dice! Invalid username. Surely there must be a way of finding a username? Lets navigate around the website links. The ‘Blogs’ link looks interesting.

Blog1

Hey! by Admin
Welcome to our site!

Instant curiosity leads me to click on anything that looks like a link. On hovering the word ‘Admin’ the cursor changes revealing a nice bit of information.

Blog2

Given that on our login screen it specifies that an email address is to be used to login, I’d say this was a good find. Lets give it a try.

LoginSQLi

One particular piece of information is missing. The password. However, previously when checking for SQL errors in the sites URL I recieved the error below.

SQLError

It lead me to believe that I could use some sort of SQL Injection command on the site. Why not on the login screen?

Entering ‘ OR 1=1 — in the password box bypasses the need for the password as you are telling the site to give you record for ‘admin@seattlesounds.net’ The resulting SQL statement passed to the DB would look something like this.

SELECT FROM * WHERE user=’admin’ AND password=’ ‘ OR 1=1 —

It makes more sense when you see the statement. We know the username so that is satisfied, however, the DB has two things to do after that. Check if the password is BLANK OR just return 1=1 which means anything true. I.E the password in the DB.

SUCCESS

SUCCESS!! It worked and we’re logged in. We can submit a new post to the site, and change the password and lock the Admin out of the site.

Beginner stuff!

Yes this is beginner stuff. However, it does help you understand how SQL Statements and queries are formed from simple inputs. What actually happens in the background when you hit ‘Log In’ Understanding the theory will go very far.

In the next post I’ll be using Burpsuite and a password dictionary to brute force the login page.

Thanks!

I just want to say thanks to Vulnhub for hosting this VM and to HollyGraceful for creating the VM. Visit her website here

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s