StackZero
  • Homepage
  • Cryptography and Privacy
  • Ethical Hacking
  • Reverse Engineering
  • Contacts
  • About Me
No Result
View All Result
StackZero
No Result
View All Result

How To Hack With SQL Injection Attacks! DVWA low security

August 16, 2022
in Ethical Hacking
0 0
How To Hack With SQL Injection Attacks! DVWA low security
0
SHARES
11.4k
VIEWS
Share on FacebookShare on Twitter

SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed.
This could allow an attacker to execute unintended SQL commands that can compromise the security of the database.
You can find a detailed description of the vulnerability in this article: SQL Injection: What You Need to Know.
In this tutorial, we are going to exploit a SQL injection vulnerability on the Damn Vulnerable Web Application (DVWA).

Usually, the attacker has different tools to accomplish his task like:

  • Burp Suite
  • SQLMap

Those two are the best known, by the way, in this tutorial we don’t need them.

Here is the list of all the articles about SQL injection for quick navigation:

Table of Contents

Toggle
    • In-Band SQL injection
    • Blind SQL injection
  • Preparing DVWA for SQL injection
  • SQL injection for DVWA Low Security: What DBMS?
  • SQL injection for DVWA Low Security: Getting Schema Info
  • SQL injection for DVWA Low Security: Retrieving the credentials
  • Conclusion

In-Band SQL injection

  • SQL Injection: What You Need to Know
  • Learn SQL injection in practice by hacking vulnerable application!
  • How To Hack With SQL Injection Attacks! DVWA low security
  • Hack With SQL Injection Attacks! DVWA medium security
  • Hack With SQL Injection Attacks! DVWA high security
  • Mastering SQL Injection on DVWA Low Security with Burp Suite: A Comprehensive Guide
  • Mastering DVWA SQL Injection: Medium Security with Burp Suite

Blind SQL injection

  • Blind SQL injection: How To Hack DVWA With Python (Low Security)
  • Blind SQL Injection: How To Hack DVWA With Python (Medium Security)
  • Blind SQL Injection: How To Hack DVWA With Python (High Security)
  • SQL Injection: What You Need to Know
  • Learn SQL injection in practice by hacking vulnerable application!
  • How To Hack With SQL Injection Attacks! DVWA low security
  • Hack With SQL Injection Attacks! DVWA medium security

Preparing DVWA for SQL injection

We have different options to set up our laboratory, but I always prefer the faster one, so instead of installing our machine from Vulnhub, I suggest you get the DVWA machine from TryHackMe.
At this point, you can just run Attack Box or run your Kali Machine.

If you are using your Kali machine, as I do:

  • Start the machine
  • Open your Kali VM and follow the instructions on how to run your VPN.
  • Connect your browser to the given IP
start dvwa machine for sql injection

If everything is ok, you should see the login page where you have to insert credentials and get inside:

  • username: admin
  • password: password
dvwa login

Before we begin, we need to ensure that our DVWA security setting is low.
This can be done by going to the DVWA Security tab and selecting low from the drop-down menu.

dvwa security setting

Now that we have our security setting configured, we can move on to exploiting the SQL injection!

SQL injection for DVWA Low Security: What DBMS?

We are ready to test our SQL injection attack on DVWA. The first step is to select “SQL injection” from the menu on the left.

I won’t go in-depth with the concepts we have already seen in this article: Learn SQL injection in practice by hacking vulnerable application!

Let’s try to pass the following input to the form, just to check if the vulnerability is present:

' OR 1=1 #

And this is the result:

sql injection test on dvwa low security

It works, so we have confirmation that the vulnerability is present!

Another thing that catches the eye is the hashtag; a hint that the DBMS could be MySQL.

But we want to do everything right and we already know how to verify our hypotheses.
As we already have seen here, the first step is to know how many fields are involved in our query.
This time, unlike what I’ve done previously, I’ll use the “ORDER BY” technique.
As a refresh, we need to append an ORDER BY clause to our query, and set the index of the field; when the index doesn’t exist it means that we are out of range and the number of fields is one less than that index.

Our query should appear like this:

... ORDER BY <NUMBER> #

Where we have to replace “<NUMBER>” with an increasing index until we get an error.

So let’s try to pass as input the following strings:

1' ORDER BY 1 #
1' ORDER BY 2 #
1' ORDER BY 3 #

When we try with index=3 the server raises an error:

Unknown column '3' in 'order clause'

It means that the query involves two fields, and this will be helpful when we’ll try to get additional information using the UNION SELECT query.

We can check our assumption about the DBMS by typing:

1' OR 1=1 UNION SELECT 1, VERSION()#

The function “VERSION” comes from MySQL and shows the “version” system variable.
So, after clicking “Submit” and get the result in the image below, we know that the DBMS is MySQL.

sql injection dbms

In the last row, we also get the version of the running DBMS: 5.5.61.

SQL injection for DVWA Low Security: Getting Schema Info

This is time to obtain the info about the schema, at this point we know that:

  • The DBMS is MySQL 5.5.61
  • The query involves two fields

This step is optional, but we don’t want to be confused by too many results, so I prefer to get the current database name so that we can filter the results in the next step:

1' OR 1=1 UNION SELECT 1,DATABASE() #

Even in this case “DATABASE” is a MySQL function that returns the name of the current database, so this will be our result:

sql injection database

Clearly, the name we were looking for is “dvwa” in the last line!

Now we can continue and retrieve the table names using this query (Note how we can filter so much noise just by having the database’s name):

1' OR 1=1 UNION SELECT 1,table_name FROM  information_schema.tables WHERE table_type='base table' AND table_schema='dvwa' #

The result is very easy to understand, in particular, the table “users” at the end of the results, seems interesting for our work.

sql injection tables

In the end, we need to know the names of the columns of the target table.

The process to retrieve this information is the same we used until now, let’s write our query:

1' OR 1=1 UNION SELECT 1, column_name FROM information_schema.columns WHERE table_name='users' #

This query will show us all the columns’ names in the table “users” if the schema has the same name for many tables, you can add a clause for specifying the table_schema.

sql injection columns

The highlighted fields are the ones we are interested in the final phase.

Get to this point, we have all we need to perform our attack!

SQL injection for DVWA Low Security: Retrieving the credentials

I bet you already know what we are going to do, anyway, for the sake of clarification I’ll show you the complete process.

The query we are going to write should retrieve the fields user and password:

1' OR 1=1 UNION SELECT user, password FROM users #

After submitting the “exploit” we get the list of all the credentials in the “users” table:

sql injection credentials

The more promising is the one inside the square (probably they are the credentials of an administrator account), anyway also this time, as in the previous tutorial, the password is not saved as plain text, so we need one more step and crack it.

So as we already did in the previous tutorial, let’s copy-paste the found password in the CrackStation‘s text area, then solve the captcha and see the result!

crackstation

We are done! The username is “admin” and the password is “password“, not the most safe combination, but we found them!

Conclusion

This write-up of SQL injection with DVWA having low-security settings was pretty easy, but I hope It was didactic as much as possible. The practice will make you more confident to approach even more complicated scenarios during your penetration testing or bug hunting.
Anyway, this one won’t be the last article about SQL injection, so if you are interested in the argument, stay tuned and follow StackZero!

Tags: application securitycybersecuritysql injectionvulnerable applicationweb application securityweb security
Previous Post

What is command injection and how to exploit it

Next Post

Hack With SQL Injection Attacks! DVWA medium security

Next Post
Hack With SQL Injection Attacks! DVWA medium security

Hack With SQL Injection Attacks! DVWA medium security

You might also like

Cryptographic functions

Cryptographic Hash Functions in Python: Secure Your Data Easily

November 3, 2024
Malware Obfuscation Techniques: All That You Need To Know

Malware Obfuscation Techniques: All That You Need To Know

March 25, 2024
How To Do Process Enumeration: An Alternative Way

How To Do Process Enumeration: An Alternative Way

March 4, 2024
How To Do DLL Injection: An In-Depth Cybersecurity Example

How To Do DLL Injection: An In-Depth Cybersecurity Example

February 8, 2024
Process Injection By Example: The Complete Guide

Process Injection By Example: The Complete Guide

January 24, 2024
How To Build Your Own: Python String Analysis for Malware Insights

How To Build Your Own: Python String Analysis for Malware Insights

November 10, 2023

StackZero

StackZero is a specialized technical blog dedicated to the realm of cybersecurity. It primarily provides insightful articles and comprehensive tutorials designed to educate readers on developing security tools. The blog encompasses a broad spectrum of subjects, starting from the foundational principles of cryptography and extending to more sophisticated areas such as exploitation and reverse engineering. This makes StackZero an invaluable resource for both beginners and professionals in the field of cybersecurity.
The blog covers a wide range of topics, from the basics of cryptography to the more advanced topics of exploitation and reverse engineering.

Tags

application security blind sqli blind sql injection bruteforce c cesar cipher command injection cryptography ctf cybersecurity debugging dom-based xss dvwa ethical-hacking ethical hacking exploitation file inclusion gdb hacking injection javascript malware malware analysis malware evasion network-security pentesting lab picoctf pico ctf python reflected xss reverse engineering sql sqli sql injection static analysis stored xss substitution substitution cipher vulnerable application web application security web exploitation web security windows windows api xss
  • About Me
  • Contacts
  • HomePage
  • Opt-out preferences
  • Privacy Policy
  • Terms and Conditions

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In
Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
View preferences
{title} {title} {title}
No Result
View All Result
  • Homepage
  • Cryptography and Privacy
  • Ethical Hacking
  • Reverse Engineering
  • Contacts
  • About Me