SQL Injection On Dvwa and Acunteix Assessment Report: Assignment-4
SQL Injection On Dvwa and Acunteix Assessment Report: Assignment-4
SQL Injection On Dvwa and Acunteix Assessment Report: Assignment-4
1 Introduction
2 Installation
3 Setup DVWA for SQL Injection
1 What is SQL Injection
A SQL injection attack consists of the “insertion/injection” of a SQL query via the
input data from the client to the application. A successful SQL injection exploit —
can read/modify(Insert/Update/Delete) sensitive data from the database, execute
administration operations(such as shutdown the DBMS), recover the content of a
given file present on the DBMS file system, and in some cases issue commands to the
operating system.
SQL injection attacks — in which SQL commands are injected into data-plane input in order to affect
the execution of predefined SQL commands. — OWASP.
Verizon Attack Vector Summary – confirmed breaches (percent of total records stolen)
2 Download Damn Vulnerable Web Application (DVWA)
To get started, we will need to clone the DVWA GitHub into our /var/www/html directory. That is
the location where Localhost files are stored in Linux systems. Launch the Terminal and change our
directory to the /var/www/html directory with the command below. In this we have done check with
version of php required.
The following command lists all PHP-related packages that exist on the current system, and saves
them to a text file named packages.txt. This helps to reconstruct the same list of packages on PHP
8.2.
All PHP 8.2 packages available in the repository added in step #2 follow php8.2- naming pattern.
Bundled extensions in PHP, such as json, ctype, date, random, etc do not need to be installed
manually. The php8.2-common package includes several common PHP packages. It is possible to
selectively disable unnecessary extensions later.
2.4. Install and enable server APIs
On a system that a web server integrates with PHP, install the additional Server API packages. The
following are some examples on most popular combinations:
2.5 Configure Apache Server
Now, we need to configure the server. Use the command below to change your location on the
Terminal to point to /etc/php/8.2/apache2 directory.
In the /etc/php/8.2/apache2, when you execute the ls command, you will see a file called php.ini.
That is the file we will edit to configure our localhost server. Use the command below to open it
using the nano editor.
To check whether the service started successfully, use the status command.
php8.2-cli - command interpreter, useful for testing PHP scripts from a shell or performing general
shell scripting tasks
php8.2-common - documentation, examples, and common modules for PHP
php8.2-mariadb-server- for working with MySQL databases
php8.2-apache2 – running apache server for gui
php8.2-libapache2-mod-php - for working with images
php8.2-nginx - used to manage redirecting which is in js and css
php8.2-curl - lets you make HTTP requests in PHP
php8.2-xml - for working with XML data
php8.2-bcmath - used when working with precision floats
Interestingly, when you check the URL, you will see there is an injectable parameter which is the
ID. Currently, my URL looks like this:
http://127.0.0.1:42001/vulnerabilities/sqli/?id=4&Submit=Submit&user_token=eb6d5cfd46b2f90034ccc829
2da1ac09#
Due to security level is impossible we coudnt perform any injection attacks on search We need to
keep it low for getting sql injection attack works
Step 3: Always True Scenario
An advanced method to extract all the First_names and Surnames from the database would be
to use the input: %' or '1'='1'
Step 4: Display Database Version
To know the database version the DVWA application is running on, enter the text below in the
User ID field.
Step 5: Display Database User
To display the Database user who executed the PHP code powering the database, enter the text
below in the USER ID field.
%' and 1=0 union select null, table_name from information_schema.tables where
table_name like 'user%'#
Step 9: Display all the columns fields in the
information_schema user table
We will print all the columns present in the users’ table. This information will include column
information like User_ID, first_name, last_name, user, and password. Enter the input in the
User_ID field.
Conclusion
From the various examples listed in this article, SQL injection proves to be a critical vulnerability
that can exist in a system. Not only can attackers exploit it to reveal user or customer
information, but it can also be used to corrupt the entire database thus bringing the whole
system down. As of writing this post (2021), Injection is listed as the number one vulnerability in
the OWASP Top 10 Vulnerabilities summary. The DVWA acts as a reliable resource for both
penetration testers who want to improve their skills and web developers who want to develop
systems with security in mind.
3. Blind SQLi
i) Time based SQLi
ii) Boolean based SQLi
In Union Based SQL Injections, we try to modify the existing SQL Query, in order to retrieve
sensitive information from the database.
3. But here, as we don’t know the table_names, we will start by guessing the number of columns in
the database. Use query order by 10--. Depending on the quote used in the DB, modify the request
accordingly. Here, we are not getting any error, this confirms that at least 10 columns exist.
http://testphp.vulnweb.com/listproducts.php?cat=1%20union%20select%201,2,3,4,5,6,7,8,9,10,11--
6. Finally, we got the table_name & column_name. Time to dump the credentials. Use query union
select 1,uname,3,4,5,6,pass,8,9,10,11 from users --. As value 7 is also vulnerable, we can retrieve
details over there. Scroll down to bottom to view the results.