“There is no delight in owning anything unshared.”

deSheep in the LAB

LAB Testing with DVWA – Part I [SQL Injection Exploitation]

In order to exploit SQL injection vulnerabilities, understanding how query is built is essentials in order to inject our parameter in a situation that the query will remain true.For exampled SQL Injection Tutorials,a text field where it asks for user ID. By entering number 1 and click on the submit button the result will return the first name and the surname of the user with ID=1.

User ID 1

Executed query in the database as below:

[SELECT First_Name,Last_Name FROM users WHERE ID=’1′;]

In order to find the first names and surnames of all the users, lets try to change the ID number on the URL [ =(1,2,3,4) &Submit=Submit#] or the Submit Column to other values.

User ID 4

The next testing is to identify what kind of database is running on the back-end in order to construct the queries accordingly and to extract the information.

Version Identify

The idea is to make the database to respond in a way that it will produce an error message that it will contain the database type and version.[single quote] such as [‘] will force the database to consider any characters that are following the quote as a string to cause a syntax error.The vulnerable parameter id=’ will cause the database to generate an error message as shown in the browser. However, it fails to show it’s version number. Let’s proceed with version findings:

Show Version

UNION statement being used for the identification [union select 1,@@version#]

Running on MySQL Ver: 5.5.27

Beside, we also able to perform hostname discovery with @@hostname statement:


Hostname Discovery via SQL Injection ‘ union select null,@@hostname #

Above Scenario and testing is part of the ideal how SQL Injection is able to discover information and abuse on server with such vulnerabilities, beside a simply statement and version or host discovery, never forget about the in depth damage that possibly can be done. Enjoy the tutorial and sample while always be ethical. 🙂

LAB Testing with DVWA – [SQL Injection Statements]

SQL injection is a code injection technique that exploits a security vulnerability in a website’s software. The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed.

  • Incorrectly filtered escape characters

User input is not filtered for escape characters and is then passed into an SQL statement.  Potential manipulation of  statements performed on the database by the end-user of the application. Line of code illustrates this vulnerability:

statement = “SELECT * FROM users WHERE name = ‘” + userName + “‘;”

This SQL code is designed to pull up the records of the specified username from its table of users. However, if the “userName” variable is crafted in a specific way by a malicious user, the SQL statement may do more than the code author intended. For example, setting the “userName” variable as:

‘ or ‘1’=’1
‘ or ‘1’=’1′ — ‘
‘ or ‘1’=’1′ ({ ‘
‘ or ‘1’=’1′ /*
SELECT * FROM users WHERE name = ” OR ‘1’=’1′;
SELECT * FROM users WHERE name = ” OR ‘1’=’1′ — ‘;

The following value of “userName” in the statement below would cause the deletion of the “users” table as well as the selection of all data from the “userinfo” table using an API that allows multiple statements:

a’;DROP TABLE users; SELECT * FROM userinfo WHERE ‘t’ = ‘t

This input renders the final SQL statement as follows and specified:

SELECT * FROM users WHERE name = ‘a’;DROP TABLE users; SELECT * FROM userinfo WHERE ‘t’ = ‘t’;

Most SQL server implementations allow multiple statements to be executed with one call in this way, some SQL APIs such as PHP’s mysql_query(); function do not allow this for security reasons. This prevents attackers from injecting entirely separate queries, but doesn’t stop them from modifying queries.

  • Incorrect type handling

This form of SQL injection occurs when a user-supplied field is not strongly typed or is not checked for type constraints. This could take place when a numeric field is to be used in a SQL statement, but the programmer makes no checks to validate that the user supplied input is numeric. For example:

statement := “SELECT * FROM userinfo WHERE id = ” + a_variable + “;”

It is clear from this statement that the author intended a_variable to be a number correlating to the “id” field. However, if it is in fact a string then the end-user may manipulate the statement as they choose, thereby bypassing the need for escape characters. For example, setting a_variable to

1;DROP TABLE users

will drop (delete) the “users” table from the database, since the SQL would be rendered as follows:

SELECT * FROM userinfo WHERE id=1;DROP TABLE users;

LAB Testing with DVWA – [Installation]

DVWA is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment. Beside it’s also provide a better understanding for web developers in securing web applications and a web application learning environments for newbies.

WARNING!! – from DVWA: User are not suppose and not encourage to  upload it to your hosting provider’s public html folder or any working web server as it will be hacked!! 

Step 1: [Installation] Guide from DVWA:


Default username = admin

Default password = password

  • Installation of  DVWA can be done by installing ‘XAMPP’ if you do not have a web server setup.
  • XAMPP is a very easy to install Apache Distribution for Linux, Solaris, Windows and Mac OS X. The package includes the Apache web server, MySQL, PHP, Perl, a FTP server and phpMyAdmin.
  • XAMPP can be downloaded from: http://www.apachefriends.org/en/xampp.html
  • Simply unzip dvwa.zip, place the unzipped files in your public html folder, then point your browser to

Step 2: [Setup Database]

Click on the Setup button in the main menu, then click on the ‘Create / Reset Database’ button. This will create / reset the database for you with some data in.

Database Setup DVWA

‘After installation, DVWA is successful hosted and running on My SQL backend Database’

Any error while trying to create your database, make sure your database credentials are correct within /config/config.inc.php