INSTALL THE DVWA IN DOCKER
01 RUN THE IMAGE
Use the official instructions to get Docker installed. Then run the image with: $ docker run –rm -it -p 8080:80 vulnerables/
web-dvwa In a moment you should find the server running on port 8080 of the host machine. Click the “Create/Reset Database” button to begin the fun.
02 BEGIN SLEUTHING
Log in with the super-secure combination admin:password and go to the SQL Injection page from the menu on the right. This appears to be some kind of user query utility. Try entering “1” into the form. You should see some information about the admin user. See what else you can find out from here.
03 STEAL A COOKIE
We’re going to attack this web app using SQL later on in the tutorial, but to do that we need the session cookie. Click the site information tab to the left of your browser’s URL bar and find the cookies the page has set. There should be one called PHPSESSID, which contains a random string of characters. Copy that down.
And you can see why this is bad. SQL injection has been around since the end of the 1990s and continues to plague applications today. This, despite there being no shortage of PHP functions for sanitising input – all the easy attacks stop working if you don’t allow punctuation in your forms. Indeed, crudely building SQL statements like this is more or less asking for trouble. Even if the previous example doesn’t work anymore (because chaining SQL statements together isn’t permitted), there’s still all kinds of damage you can do with the UNION operator. So the favoured way to get PHP to talk to SQL nowadays is through prepared statements.
Breaking and entering
Once you’ve got DVWA up and running you’re probably keen to get started breaking it. That’s quite easy to do. We’ll spoil the fun a little because space is short, but try entering the following doozy into the SQL Injection page: ‘ and 1=0 union select null, concat(user,‘:’,password) from users #
As we described above, we’ve successfully borked the underlying SQL query and tricked the application into coughing up usernames and passwords for the whole team. Oh dear, oh dear. There are some tools that can help find SQL exploits. One of the most popular is sqlmap, which you’ll find in Kali’s Web Application Analysis menu. In the simplest case, you can probe a form just by passing a URL with something like: $ sqlmap -u http://vulnerable.com/form.php
For DVWA, though, because we had to log in to access it we’ll need that cookie from step three (below left) if we want sqlmap to see the relevant form. We also need the rather ugly, complete URL from the SQL injection form, which is displayed after you submit it. We’ll also cheat a little and turn down DVWA’s security via the cookie, otherwise this attack isn’t quite so easy. So the proper incantation to sqlmap will look something like: $ sqlmap -u “http://192.168.0.9:9090/ vulnerabilities/sqli/?id=bob&Submit=Submit#” --dbs --co okie=”PHPSESSID=q7bbkn0me48hp5dho22k59srl4; security=low”
Hit Return if you’re told the URL content is not stable – it’s nothing to worry about. You can safely skip the tests for non-MySQL payloads and say no to including additional ones. sqlmap will run through its armory of attacks against the id parameter and should eventually spit out this helpful message: GET parameter ‘id’ is ‘Generic UNION query (NULL) - 1 to 20 columns’ injectable
as well as two other injections. After that, it will show you three corresponding queries to exploit these vulnerabilities.
Again, sqlmap is for finding bugs in your own applications. Just because you can point it at any form on the web definitely does not mean you should. We know that many readers will have their own Nextcloud installations (inspired perhaps by our Smart Home Office feature), and we trust that you keep these up to date.
However, just staying updated may not be enough. There’s all kinds of room for misconfiguration – not just in Nextcloud itself, but in the underlying LAMP components too. There is some excellent information on hardening your Nextcloud install in the manual, available at
http://bit.ly/MPCnextcloud, which covers things like giving PHP access to /dev/urandom (to avoid running out of entropy), and SELinux.
There’s also a comprehensive security scan you can run from https://scan.nextcloud.com, which will make sure your instance is watertight. You’ll even get a grade at the end. Any web service you’re running should use HTTPS. There’s no reason not to now that free certificates are available from Let’s Encrypt, as well as its excellent Certbot tool for managing them and keeping them up to date. There’s plenty of room for misconfiguring HTTPS too, so go to
https://ssllabs.com/ssltest and make sure your server gets an A grade.