Exploit SQL Injection Vulnerability

“Injection” is the most notorious web application security risk. It is in the first order in the OWASP top ten list. There are many kinds of injections, such as SQL, NoSQL, LDAP. SQL injection is the most commonly exploited injection vulnerability. In SQL injection, malicious SQL statements are inserted into the forms for malicious purposes, such as logging into web applications without valid credentials or dumping database contents.

1)Log in to Kali Linux on the Netlab environment.

Don't use plagiarized sources. Get Your Custom Essay on

Just from $13/Page

Order Essay

2) Open Firefox by clicking the Kali icon on the bottom left corner, typing Firefox, and clicking on the Firefox ESR icon

3) Visit this page http://192.168.2.15/dvwa/login.php

4) Log in to web application by typing user as Username and user as Password

5)Click on the SQL Injection at the left menu

6)Type 1 and click submit.

This is a simple web application; it returns the user information when you type in the user ID.

7) Now add a single quote (‘) after 1 and click Submit. You will see an error message.

Note: This error message is an indication that web application is vulnerable. Because this message is not a custom message displayed by the web application, instead it is the error message generated by the SQL server.

8) Exploit the vulnerability and dump all user information stored in the database by typing below and clicking Submit.

1’ or ‘1=1’–

The characters and their orders should be:

1) One

2) Single quote

3) Space

4) o letter

5) r letter

6) Space

7) Single quote

8) One

9) Equal sign

10) One

11) Single quote

12) Dash

13) Dash

14) Space

Take a screenshot of the browser window showing the dump of all user accounts.

Note: sqlmap ( http://sqlmap.org/) is a powerful utility to perform automatic SQL injections. It comes in Kali Linux distribution. Most pen testers use SQL map to try many different SQL injections on a given web form.