Data Security Lab

Objective:
(i) To Study about SQL Injection
(ii) And to Perform SQL Injection in DVWA

Software Used: Here, we are using DVWA (Damn Vulnerable Web App)
it is an open source PHP/MySQL web application. Its main goal is to be an aid for
the security professionals to test their skills and tools in a legal environment. It
helps web developers better understand the processes of securing the web
applications.

Theory: SQL injection is a technique often used to attack database driven

applications and is also known as SQL fishing. This is generally done by including
SQL statements in an entry field in an attempt to get the website to pass a formed
rouged SQL command to the database. Injected SQL commands can alter SQL
statements and compromise the security of the web application. The vulnerability
happens when the user input is either incorrectly filtered for string literals escape
characters embedded in SQL statements or user input is not strongly types and
unexpectedly executed.

Procedure: In this we will inject always true SQL statements into SQL
injection User ID field with security set to low.
1. Open Kali Linux as root user, set the network configurations.
2. Start Firefox, type this IP : (http:// 10.9.3.146/dvwa/vulnerabilities) in the
address bar.
3. Type in Username: admin Password: password click Login in the DVWA
login page.
4. Click DVWA security at left corner below, select the security to low click
submit button.
5. There will be a User ID: field, now type in 2 and click submit see what
happened.

Note, webpage/code is supposed to print ID, First name, and Surname to screen,
$getid= select first_name,last_name from users where user_id=$id ;
6. Always True scenario: Input the text below into the User ID textbox.
% OR 0=0 and click submit.

In this case, we are saying display all records that are false and all records that are
true. % will probably not be equal to anything, and will be false. Whereas
0=0 is true always.
7. Display Database Version: Input the below text into the User ID Textbox
%' or 0=0 union select null, version() #
Click Submit

8. Display Database User: Input the below text into the User ID Textbox
%' or 0=0 union select null, user() #
Notice in the last displayed line, root@localhost is displayed in the surname.
9. Display Database Name: Input the below text into the User ID Textbox
%' or 0=0 union select null, database() #

10. Display all tables in information_scheme: Input the below text into the User
ID Textbox.
%' and 1=0 union select null, table_name from information_schema.tables #
 Click Submit Notes(FYI):

11. Display all the columns fields in the information_schema user table:
Input the below text into the User ID Textbox
%' and 1=0 union select null, table_name from information_schema.tables where
table_name like 'user%'#
Click Submit
Conclusion: