SQL Injection
http://localhost/DVWA/vulnerabilities/sqli/
http://localhost/DVWA/vulnerabilities/sqli/
Using BurpSuite and the FoxyProxy extension is recommended.
We've an input type text that received an User ID in I by user and submit request using the Submit button:
This's our request captured by Burp Suite, while here below there's a php source code:
How the same in the low level, there're not input sanitation, then we can send what we want into input type text field. In this case request will arrive to DB located into webserver, but query will be preparared using php language.
Analyzing source code, we know that mysql query is:
Regarding query and that our input type value is insert into $id variable, if we want to see all rows of DB, we need to send a query request always boolean true (e.g. 1=1), in addition we can hide all parts not important using ' character.
Then in this case, we can use following payload: ' OR 1=1 --
in the where condition there're a first search to user with this id '' OR a true condition, plus a comment.
This permit us to see all DB results:
Regarding that query selects: first_name, last_name field from users table, we can use UNION operator to add a new query: ' UNION select first_name,password from users --
Note: Every SELECT statement within UNION must have the same number of columns.
The input is not sanitized, so I can execute any (potentially malicious) command.
Here, there're a select with range (1 to 5) to set User ID.
In addition to low level, in the code below there're an escape string control and query variable $ID isn't enclosed by ''.
Our request include an ID + Submit values.
But, we can modify ID value using Burp Suite repeater function:
Remembering that $ID variable isn't enclosed by '', escape string control isn't a matter.
Then in this case, we can use following payload: 1 OR 1=1 --
in the where condition there're a first search to user with this id '' OR a true condition, plus a comment.
How the low level, regarding that query selects: first_name, last_name field from users table, we can use UNION operator to add a new query: 1 UNION select first_name,password from users --
Note: Every SELECT statement within UNION must have the same number of columns.
The input is not sanitized, so I can execute any (potentially malicious) command.
In this level clicking on first page, we obtain a redirect to a second page to submit effectively our Session ID:
In this case payload is always the same of low level, but we need to add it into second page, infact we've two request (GET and POST)
However, we can use following payload: 1' OR 1=1 --
that permit us to see all DB results:
How last levels, we can use UNION operator to add a new query: ' UNION select first_name,password from users --
Note: Every SELECT statement within UNION must have the same number of columns.
The input is not sanitized, so I can execute any (potentially malicious) command.
The best solution is to sanitize query using a prepared statement, to delineate part static and dinamic (id) of query; take a binding parameter to check if is it an integer or char; insert a control to count rows number as result; and use a CSRF token.
All this permits to separate sql code with sql data/parameter insert by user.
For the making of this solution the following resource were used:
We obtain hash of psw to eventually crack using tools such as: and .
We obtain hash of psw to eventually crack using tools such as: and .
We obtain hash of psw to eventually crack using tools such as: and .
