In a nutshell SQL injection allows unauthorized people to use SQL syntax to query the web server database backend, it is called injection because the SQL syntax is inserted into web application variables.
The purpose for this post is to raise awareness of what is SQL injection and how serious it is if injection problem is not mitigated. This post also serves as a repository for myself to refer to.
Because 1=1 is always true the SQL query is successful and the usernames and passwords were enumerated.
To know the number of columns in the database
Use the ORDER BY syntax. ORDER BY syntax is used to sort information in a table, using ORDER BY syntax by the attacker can query the available columns in a table.
Know the MySQL version
Generate strings without quotes
Convert a string into hexadecimal, this can be done using Burp Suite.
“anything” hexadecimal representation is 616e797468696e67. The attacker uses concat() function to insert the hexadecimal string 0x616e797468696e67 into second column.
Load a file from native system
To find out the location of database directory
To find out the hostname
This lab demonstrates the possibility of sql injection, the target web server is a Linux vm, I tried sys_eval, sys_exec function however these functions do not exist on dvwa. Due to the user rights command execution is very difficult through sql injection against Linux server, I have known Windows SQL provides a native xp_cmd shell function however I have not tried before.
The attacker who did the sql injection does not necessary to be a SQL expert nor knowing how to create database with SQL, the attacker only needs to know enough to fulfill his objective.