Performing Union-Based SQL Injection On DVWA Environment with low security(Beginners).
SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
A wide range of damaging attacks can often be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and taking control of the database server. Reference:- https://portswigger.net/support/using-burp-to-detect-sql-injection-flaws
Here we will perform the tutorial in DVWA environment for the better understanding of SQL Injection.
Practical
- Firstly for the first time starter, when you login into DVWA environment go to DVWA security tab there you can see the security is set to impossible as default there you choose the security low and then submit.
- Now select SQL Injection tab where you can see the environment like the picture given below.
3. Now we enter random user id to get some result here we are using 1 as user id.
4. We get user first name and surname from above image. But we can see the URL showing above ‘?id=1’ which seems suspicious for SQL injection. To check the SQL injection vulnerability we put “ ’ “ sign after ?id=1’ and then press enter.
5. We see the SQL error which confirms that this page has SQL Injection vulnerability.
6. Now we check the number of tables in this page SQL database for this we use “order by 5 - -+” after “ ?id=1’ ”.
7. We can see that on entering the number 5 after “order by” command it throws SQL error of unknown columns which means that there is no data on table column 5 so we keep on decreasing the number to get result as we can see on “order by 2” we are getting some result.
8. Now we will find the vulnerable column using the command “union select 1,2 - -+”.
9. Here we can see number 1 and 2 is showing on First name and Surname respectively by seeing this we can conclude that 1 and 2 columns are vulnerable.
10. Now we will check the details of database and version by slightly changing the previous command “union select 1,2 - -+” instead of 1 we will write database() to get the name of database and instead of 2 we will write version(). So command will look like this “union select database(), version() - -+”.
11. Now we get the result in first name section we got dvwa as database name and in surname section we got database version running.
12. Now we will see each and every data of all tables using the command “ union select 1,table_name from information_schema.tables - -+”.
13. Now we check the user column users using command “ union select 1,column_name from information_schema.columns from table_name=’users’ “.
14. Now we check the user and password using command “ union select user,password from users”.
15. Here we get all users with their password. Here password is encrypted with MD5 cryptography so we need to decrypt it. After decrypting you will get the password in plain text.
Thank You