LAB Testing with DVWA – Part I [SQL Injection Exploitation]
In order to exploit SQL injection vulnerabilities, understanding how query is built is essentials in order to inject our parameter in a situation that the query will remain true.For exampled SQL Injection Tutorials,a text field where it asks for user ID. By entering number 1 and click on the submit button the result will return the first name and the surname of the user with ID=1.
Executed query in the database as below:
[SELECT First_Name,Last_Name FROM users WHERE ID=’1′;]
In order to find the first names and surnames of all the users, lets try to change the ID number on the URL [127.0.0.1/dvwa/vulnerabilities/sqli/?id =(1,2,3,4) &Submit=Submit#] or the Submit Column to other values.
The next testing is to identify what kind of database is running on the back-end in order to construct the queries accordingly and to extract the information.
The idea is to make the database to respond in a way that it will produce an error message that it will contain the database type and version.[single quote] such as [‘] will force the database to consider any characters that are following the quote as a string to cause a syntax error.The vulnerable parameter id=’ will cause the database to generate an error message as shown in the browser. However, it fails to show it’s version number. Let’s proceed with version findings:
UNION statement being used for the identification [union select 1,@@version#]
Running on MySQL Ver: 5.5.27
Beside, we also able to perform hostname discovery with @@hostname statement:
Hostname Discovery via SQL Injection ‘ union select null,@@hostname #
Above Scenario and testing is part of the ideal how SQL Injection is able to discover information and abuse on server with such vulnerabilities, beside a simply statement and version or host discovery, never forget about the in depth damage that possibly can be done. Enjoy the tutorial and sample while always be ethical. 🙂