-> DVWA - Damn Vulnerable Web Application
-> Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.
-> What is a SQL Injection?SQL injection
-> This is done by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., copy/dump the database contents to the attacker). SQL injection is a code injection technique that exploits a security vulnerability in an application's software.
-> The vulnerability happens when user input is eithe incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL or other database.
Now lets starts practicle:>
DVWA (windows)
-> I'm using xammp for apache (server) -> login in to DVWA (address - 127.0.0.1 (localhost))
-> after login go to the DVWA security option and select secuirity as low and "submit"
-> Now select sql injection :
-> Type 1 And submit:
--> See i get all the columns with type of users table
-> Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.
-> What is a SQL Injection?SQL injection
-> This is done by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., copy/dump the database contents to the attacker). SQL injection is a code injection technique that exploits a security vulnerability in an application's software.
-> The vulnerability happens when user input is eithe incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL or other database.
Now lets starts practicle:>
DVWA (windows)
-> I'm using xammp for apache (server) -> login in to DVWA (address - 127.0.0.1 (localhost))
-> after login go to the DVWA security option and select secuirity as low and "submit"
-> Now select sql injection :
-> Type 1 And submit:
-> Type 2 And submit : what we have :id , first name and surname
-> Now lets see the source code for low security
$id = $_GET['id'];
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'";
$result = mysql_query($getid) or die('<pre>' . mysql_error() . '</pre>' );
$num = mysql_numrows($result);
$i = 0;
(we can see its a very simple query without any security so we can easily break this )
-> as we know how to check sql vulnerabilities same as (1') (eg. php?id=1')
-> Error msg -> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1
hahahah-> so simple now we can recognize it's a sql vulnerable
-> now easily write in a text box ---> 1' or '1' = '1 then "submit"
-> Now we can see we get all the information which is stored in current database
-> Now set DVWA security to Medium
-> Lets check source code first
-> In the source code ---> $id = mysql_real_escape_string($id);
-> we can say developer set some security here for sql injection
-> As per above write 1' in the text box and "Submit"
-> In medium security the error is diffrent from low security
-> you can also google for this error for more understanding
-> Now the real task begins...
-> im using tamper add-ons here for tampering data...you can download it from add-ons shop (Mozila firefox)
-> At the time of submiting value i'm using tamper
-> Now i'm using sqlmap
-> you can download sqlmap from --->>> http://sqlmap.org/
-> for sqlmap you need python --->>>https://www.python.org/downloads/
-> In sqlmap copy url and past it after -u ".." command
-> Now from tamper copy cookies and past it after cookie=" .." command
--> we want database system so we are usind --dbs command
-> after hit enter we get details about --OS,Webserver ,BAck-end DBMS ,and Web app Technology
-> And also we get all the database which is stored in dbs
-> For current database use --current-db command at the last ..
--> dvwa is our current database ...
--> Now we want all the the tables which contain by current database..
so im using -D dvwa --tables at last..
-> From current database we get 2 tables 1> guestbook
2> users
--> Now for colums of perticular table use -T (table name) --columns
--.> I'm doind on "users "table
--> See i get all the columns with type of users table
--> Now i want to copy/dump all the data which is contain by users table
--> So i'm using -T users --dump
--> See i got all the data and sqlmap also store all the data at your system drive-D:\ \users\name\.sqlmap\output\127.0.0.1' folder in csv formate..
Same technique try on high security and tell me what is the output and Is it possible to get data same as medium security or not...!!
