Password and SQL Injection

BCSE 353E &Information

Course Code
security analysis and audit Slot L19+L20
&Course Title
(Embedded Lab)
Date 06.07.2023 Name
Experiment No 8 Register No

IP Address
Step 1: Open kali terminal and type the following command using metasploitable’s IP
address.

export IP=<ip address = 192.168.5.129>

cd /usr/share/wordlists/
sudo gzip rockyou.txt.gz -d
less rockyou.txt

You will get a list of common passwords. Press ctrl+z to exit

Step 2: Open mozilla firefox and type the IP address and press enter

Step 3; Click on DVWA and try anything as the username and password and press login

Step 4: Right click on the page and press inspect. Go to ‘network’ and press reload. Re-
enter the username and password while inspecting.
Step 5: Click on ‘login.php’ having the method as ‘POST’. Go to request. You will see
the username and password you entered.

Step 6: We use Hydra to bruteforce the password of DVWA login page.

sudo hydra -l admin -P /usr/share/wordlists/rockyou.txt $IP http-post-form
"/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed"

You will get the username and password for the login
Step 7: Use the credentials in the login page
Step 8: Click on DVWA security tab on the left panel. Change the level to low

Remote Command Execution

Step 9: Go to Command Execution tab
Here start your command with ‘;’ in order to execute command in the terminal of
metasploitable. ‘;’ acts as the command execution tool that provides us the backdoor to
the metasploitable machine.
Step 10: Go to SQL Injection tab and type ‘ or 1=1#
You will get all the entries of the data stored inside the database.
The command acts as an always true command for selecting all the entries from the
database.