πŸ•ΈοΈ
DVWA - Web
  • 🚩DVWA - Web
  • Install and configure DVWA
  • Brute Force -
  • Command Injection
  • CSRF
  • File Inclusion
  • File Upload --
  • Insecure CAPTCHA --
  • SQL Injection
  • SQLi Blind --
Powered by GitBook
On this page
  • Low
  • Medium
  • High
  • Impossible
  • References

SQL Injection

http://localhost/DVWA/vulnerabilities/sqli/

PreviousInsecure CAPTCHA --NextSQLi Blind --
What is a SQL Injection?

SQL injection is a type of security vulnerability that occurs when an attacker is able to manipulate a SQL query by injecting malicious SQL code into user-input fields or other parameters. This can happen when an application does not properly validate or sanitize user inputs before constructing SQL queries.

SQL injection attacks are most common in web applications that interact with a database. When user inputs are directly concatenated into SQL queries without proper validation, an attacker can input specially crafted strings that alter the intended logic of the SQL query.

Using BurpSuite and the FoxyProxy extension is recommended.

Low

We've an input type text that received an User ID in I by user and submit request using the Submit button:

This's our request captured by Burp Suite, while here below there's a php source code:

How the same in the low level, there're not input sanitation, then we can send what we want into input type text field. In this case request will arrive to DB located into webserver, but query will be preparared using php language.

Analyzing source code, we know that mysql query is:

SELECT first_name, last_name FROM users WHERE user_id = '$id';

1st Payload

Regarding query and that our input type value is insert into $id variable, if we want to see all rows of DB, we need to send a query request always boolean true (e.g. 1=1), in addition we can hide all parts not important using ' character.

Then in this case, we can use following payload: ' OR 1=1 -- 

SELECT first_name, last_name FROM users WHERE user_id = '' OR 1=1 -- ';

in the where condition there're a first search to user with this id '' OR a true condition, plus a comment.

This permit us to see all DB results:

2nd Payload

SELECT first_name, last_name FROM users WHERE user_id = '' UNION SELECT first_name,password FROM users -- ';

Note: Every SELECT statement within UNION must have the same number of columns.

The input is not sanitized, so I can execute any (potentially malicious) command.

Medium

Here, there're a select with range (1 to 5) to set User ID.

In addition to low level, in the code below there're an escape string control and query variable $ID isn't enclosed by ''.

Our request include an ID + Submit values.

But, we can modify ID value using Burp Suite repeater function:

1st Payload

Remembering that $ID variable isn't enclosed by '', escape string control isn't a matter.

Then in this case, we can use following payload: 1 OR 1=1 -- 

SELECT first_name, last_name FROM users WHERE user_id = 1 OR 1=1 -- ;

in the where condition there're a first search to user with this id '' OR a true condition, plus a comment.

2nd Payload

SELECT first_name, last_name FROM users WHERE user_id = 1 UNION SELECT first_name,password FROM users -- ';

Note: Every SELECT statement within UNION must have the same number of columns.

The input is not sanitized, so I can execute any (potentially malicious) command.

High

In this level clicking on first page, we obtain a redirect to a second page to submit effectively our Session ID:

1st Payload

In this case payload is always the same of low level, but we need to add it into second page, infact we've two request (GET and POST)

However, we can use following payload: 1' OR 1=1 -- 

SELECT first_name, last_name FROM users WHERE user_id = '1' OR 1=1 -- ';

that permit us to see all DB results:

2nd Payload

SELECT first_name, last_name FROM users WHERE user_id = '' UNION SELECT first_name,password FROM users -- ';

Note: Every SELECT statement within UNION must have the same number of columns.

The input is not sanitized, so I can execute any (potentially malicious) command.

Impossible

All this permits to separate sql code with sql data/parameter insert by user.

References

For the making of this solution the following resource were used:

Regarding that query selects: first_name, last_name field from users table, we can use operator to add a new query: ' UNION select first_name,password from users --

We obtain hash of psw to eventually crack using tools such as: and .

How the low level, regarding that query selects: first_name, last_name field from users table, we can use operator to add a new query: 1 UNION select first_name,password from users --

We obtain hash of psw to eventually crack using tools such as: and .

How last levels, we can use operator to add a new query: ' UNION select first_name,password from users --

We obtain hash of psw to eventually crack using tools such as: and .

The best solution is to sanitize query using a prepared statement, to delineate part static and dinamic (id) of query; take a binding parameter to check if is it an integer or char; insert a control to count rows number as result; and use a token.

UNION
UNION
UNION
CSRF
https://github.com/LeonardoE95/DVWA/tree/main/src/sqli
localhost/DVWA/vulnerabilities/view_source.php?id=sqli&security=low
Hashcat
John The Ripper
Hashcat
John The Ripper
Hashcat
John The Ripper
15 - SQL Injection
SQLMaphttps://www.kali.org/tools/sqlmap/ https://tryhackme.com/room/sqlmap