Manual SQL Injection Using DVWA
Manual SQL Injection Using DVWA
Manual SQL Injection Using DVWA
SQL can: -
- Execute queries against a database
- Retrieve data from a database
- Insert new records in a database
- Delete records from a database
- Update records in a database
GRAPHICBULB
The Anatomy of a Web Application (How a web application works?) 3
A web application is the target of a SQL injection attack, so you must understand how these apps
work. A web application is a computer program that utilizes web browsers and web technology to
perform tasks over the Internet. web application works by performing these steps:
Step 1: The user accesses a web application via a web browser or mobile application, triggering a
request to the web server over the Internet. Note that there may be security measures (i.e. firewalls or
cloud access security brokers) and load balancers in
Step 2: The web server forwards the request to the web application server. The web application
server performs the requested task – such as querying the database or processing the data – then
generates the results of the requested data.
Step 3: The web application server sends the results back to the web server.
Step 4: the web server delivers the requested information to the client (desktop, mobile device, tablet,
etc.) and the information appears on the user’s display.
GRAPHICBULB
SQL Injection 4
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the
client to the application. A successful SQL injection exploit can read sensitive data from the
database, modify database data (Insert/Update/Delete), execute administration operations on the
database (such as shutdown the DBMS), recover the content of a given file present on the DBMS
file system and in some cases issue commands to the operating system.
An SQL query is a request for some action to be performed on a database. Typically, on a Web
form for user authentication, when a user enters their name and password into the text boxes
provided for them, those values are inserted into a SELECT query.
If the values entered are found as expected, the user is allowed access; if they aren't found,
access is denied. However, most Web forms have no mechanisms in place to block input other
than names and passwords. Unless such precautions are taken, an attacker can use the input
boxes to send their own request to the database, which could allow them to download the entire
database or interact with it in other illicit ways.
GRAPHICBULB
Example of SQL injection 5
GRAPHICBULB
SQL Injection Countermeasures 6
First, one of the most powerful tools to thwart SQL injection is to use validation. For example, if
your application expects an e-mail address then the application should not accept data that does
not match the format of an e-mail address. Or if it expects numbers, it should not accept symbols
or letters. Validation can be performed by whitelisting (or blacklisting) what is (or is not) acceptable
to an application.
Validation of information can take place on either the client side or the server side. It’s best to use
both, because client-side validation is easy for an attacker to thwart. While it may seem that if the
security risk is eliminated completely by using server-side the best option would be to always use
server-side, but this is not the case. Client side is valuable as it not only offloads some processing
to the client, but at the same time it also can prevent bad or bogus results from getting to the
server.
GRAPHICBULB
DVWA 7
Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn
vulnerable.
Its main goals are to be an aid for security professionals to test their skills and tools in a legal
environment, help web developers better understand the processes of securing web applications
and aid teachers/students to teach/learn web application security in a class room environment.
The DVWA project started in December 2008 and has steadily grown in popularity.
It is now used by thousands of security professionals, students and teachers world wide.
DVWA is now included in popular penetration testing Linux distributions such as Samurai Web
Testing Framework and many others.
GRAPHICBULB
Security Levels of DVWA 8
High-This level is to give an example to the user of good coding practices. This level should be
secure against all vulnerabilities. It used to compare the vulnerable source code to the secure
source code.
Medium- This security level is mainly to give an example to the user of bad security practices,
where the developer has tried but failed to secure an application. It also acts as a challenge to
refine their exploitation techniques.
Low- This security level is completely vulnerable and has no security at all . It’s use is to be as an
example of how web vulnerabilities manifest through bad coding practices and to as a platform to
teach or learn basic exploitation techniques.
GRAPHICBULB
Desktop Mockup 9
Database DVWA has a table named ‘users’ which has following data:
GRAPHICBULB
Source code for low security level 10
<?php
if( isset( $_REQUEST[ 'Submit' ] ) ) {
// Get input
$id = $_REQUEST[ 'id' ];
// Check database
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysq
li_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli
_res : false)) . '</pre>' );
// Get results
while( $row = mysqli_fetch_assoc( $result ) ) {
// Get values
$first = $row["first_name"];
$last = $row["last_name"];
// Feedback for end user
echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
mysqli_close($GLOBALS["___mysqli_ston"]);
}
?>
GRAPHICBULB
For Input User ID : 1
GRAPHICBULB
For Input User ID : 1' OR '1=1
GRAPHICBULB
13
The next step will be to try to identify what kind of database is running on the back-end in order to
construct the queries accordingly.
Most of the times the web application technology (Java, ASP.NET, PHP etc.) will give us an idea of
the database that the application is using.
Technology Database
ASP.NET Microsoft SQL
Server, PHP MySQL
Java Oracle or MySQL
We can very easily identify the database type especially if we are in a non-blind situation. The
basic idea is to make the database to respond in a way that it will produce an error message that it
will contain the database type and version.
Input:1 or 1=1'
GRAPHICBULB
INPUT : %' or 0=0 union select null ,
version() #
GRAPHICBULB
PHP-Intrusion Detection System 15
PHP-IDS is a popular PHP Intrusion Detection System (IDS) also known as a Web Application
Firewall (WAF).
PHP-IDS works by filtering any user supplied input against a blacklist of potentially malicious
code.
PHP-IDS is used in DVWA to serve as a live example of how WAFs can help improve security in
web applications and in some cases how WAFs can be circumvented.
GRAPHICBULB
16
Thank you
GRAPHICBULB