In order to practice our hack-fu, it is necessary to have a suitable testing environment. In this article, we will learn how to set up a well-known web application called DVWA, which has many security vulnerabilities designed for learning purposes.
We install Ubuntu server and create a user named kr0m.
We update the OS to the latest version:
apt dist-upgrade
We install PHP php-fpm and userland utilities to manage acls in the file system:
We configure the PHP timezone:
cd /etc/
apt search php
PHPVERSION=“7.2”
echo ‘; set timezone to Europe/Madrid
; priority=30
date.timezone = Europe/Madrid’ > /etc/php/$PHPVERSION/mods-available/timezone.ini
phpenmod timezone
We install Apache:
We disable some modules so they don’t interfere with php-fpm:
a2dismod mpm_worker
a2dismod mpm_prefork
We enable the necessary modules for php-fpm to work:
a2enmod mpm_event
a2enmod proxy_fcgi
a2enmod rewrite
We restart the service to apply the changes:
We check that the execution of php is working correctly through FPM:
We access the VM’s IP:
http://VM_IP/info.php
We delete the file once it has been verified that it works correctly:
We install some additional PHP extensions:
We install DVWA:
wget https://github.com/ethicalhack3r/DVWA/archive/master.zip
apt install unzip
unzip master.zip
chown -R kr0m:kr0m DVWA-master/
mv DVWA-master/config/config.inc.php.dist DVWA-master/config/config.inc.php
We configure the user who will access the database:
$_DVWA[ 'db_server' ] = '127.0.0.1';
$_DVWA[ 'db_database' ] = 'dvwa';
$_DVWA[ 'db_user' ] = 'dvwa';
$_DVWA[ 'db_password' ] = 'p@ssw0rd';
We configure the security level at which DVWA will run:
$_DVWA[ 'default_security_level' ] = 'low';
We configure an Apache vhost:
DocumentRoot /var/www/html/DVWA-master
<Directory "/var/www/html/DVWA-master">
AllowOverride All
</Directory>
We restart Apache:
We install a MySQL server:
We create the database and give the necessary permissions to the access user:
mysql> CREATE DATABASE dvwa;
mysql> GRANT ALL PRIVILEGES ON dvwa.* TO dvwa@'127.0.0.1' IDENTIFIED BY 'p@ssw0rd';
mysql> FLUSH PRIVILEGES;
We configure the following PHP directive so that all DVWA vulnerabilities can be exploited:
allow_url_include = On
We restart php-fpm:
We apply ACLs to some directories so that all DVWA vulnerabilities can be exploited:
setfacl -R -m u:www-data:rwX -m u:kr0m:rwX /var/www/html/DVWA-master/hackable/uploads/
setfacl -dR -m u:www-data:rwX -m u:kr0m:rwX /var/www/html/DVWA-master/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt
setfacl -R -m u:www-data:rwX -m u:kr0m:rwX /var/www/html/DVWA-master/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt
setfacl -dR -m u:www-data:rwX -m u:kr0m:rwX /var/www/html/DVWA-master/config
setfacl -R -m u:www-data:rwX -m u:kr0m:rwX /var/www/html/DVWA-master/config
We access the web interface:
http://VM_IP/
admin
password
NOTE: In order to test the full potential of SQL injections, we need MySQL service to be configured in a certain way, the access user to have certain privileges, the Apache docroot to have certain permissions, and the MySQL apparmor profile to be disabled.
DESECURING:
If we want MySQL to write with the user dvwa:
mysql> GRANT FILE ON *.* TO dvwa@'127.0.0.1';
mysql> FLUSH PRIVILEGES;
If we want MySQL to read/write outside /var/lib/mysql-files/, we must disable the --secure-file-priv option, otherwise we will see the following error:
mysql> SELECT first_name, last_name FROM users WHERE user_id='1' UNION ALL SELECT 1, LOAD_FILE('/etc/passwd') INTO OUTFILE '/tmp/blindOutputTest0.txt';
ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement
mysql> SHOW VARIABLES LIKE "secure_file_priv";
+------------------+-----------------------+
| Variable_name | Value |
+------------------+-----------------------+
| secure_file_priv | /var/lib/mysql-files/ |
+------------------+-----------------------+
To disable it:
[mysqld]
secure_file_priv=""
If we try to read the file now:
mysql> SELECT first_name, last_name FROM users WHERE user_id='1' UNION ALL SELECT 1, LOAD_FILE('/etc/passwd') INTO OUTFILE '/tmp/blindOutputTest0.txt';
We check the content of the file:
admin admin
1 root:x:0:0:root:/root:/bin/bash\
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\
bin:x:2:2:bin:/bin:/usr/sbin/nologin\
sys:x:3:3:sys:/dev:/usr/sbin/nologin\
If we also want it to write to /var/www/html/DVWA-master/
We will also have to disable the appArmor profile (only for Ubuntu or distros with appArmor by default):
apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld
We check that we can write to that directory:
mysql> SELECT first_name, last_name FROM users WHERE user_id='1' UNION ALL SELECT 1, LOAD_FILE('/etc/passwd') INTO OUTFILE '/var/www/html/DVWA-master/blindOutputTest0.txt';
If we want the dvwa user to be able to read information about MySQL users:
mysql> GRANT SELECT ON mysql.* TO dvwa@'127.0.0.1';
mysql> FLUSH PRIVILEGES;
We check that we can perform the query on MySQL users:
mysql> SELECT first_name, last_name FROM users WHERE user_id='1' UNION ALL SELECT 1, user FROM mysql.user;
+------------+------------------+
| first_name | last_name |
+------------+------------------+
| admin | admin |
| 1 | dvwa |
| 1 | debian-sys-maint |
| 1 | mysql.session |
| 1 | mysql.sys |
| 1 | root |
+------------+------------------+