DVWA Walkthrough Part 6: SQL Injection


For the sixth installment of our Damn Vulnerable Web App walkthrough we will use a SQL injection vulnerability to obtain all of the usernames and passwords within the application.┬áThis is another very simple to exploit and really doesn’t require the aid of Burp Suite at all. In a more complex application we may want to use tools like Burp Suite or SQLMap to automate the enumeration of the columns and tables within the database.

To start click on the SQL Injection link on the left hand menu and we are presented with an input field and a submit button.

SQL injection vulnerabilities are typically caused by a lack of input validation and the use of concatenated queries (appending the SQL query string with input provided by the end user). When looking for strings to use to test for SQL injection a good place to start is a SQL injection cheat sheet.

Screen Shot 2014-11-22 at 10.13.36 AM

We start with

' OR 1 = 1 -- 

which essentially is SQL speak for select everything in the table, and as we can see below it works.
Screen Shot 2014-11-22 at 10.17.07 AM

Screen Shot 2014-11-22 at 10.17.14 AM

This is the query the developer intended:

"SELECT first_name, last_name FROM users WHERE user_id = '$id'"

However, because the developer did not sanitize the input characters the query that is actually executed looks like this:

"SELECT first_name, last_name FROM users WHERE user_id = '' OR 1 = 1 -- '"

But the goal of this challenge is not to get a list of all the users but to get the usernames and passwords so we are not done just yet. To do this we will leverage the SQL UNION statement to obtain the user and password columns from the users table.

' UNION SELECT user, password from users -- 

Screen Shot 2014-11-22 at 10.41.37 AM

And there we are a list of usernames and MD5 password hashes from the database. The last step which I will leave to the reader is to crack the MD5 hashes to obtain the plain text.
Hint: http://www.md5crack.com

Post navigation

Leave a Reply

Your email address will not be published. Required fields are marked *