SQL Injection in DVWA ~ Information Technology Security Blog

Wednesday, February 1, 2012

SQL Injection in DVWA

10:55 AM No comments

Now, we try to to SQL injection attack in DVWA

1. Information gathering, vulnerability asessment
we can test the vulnerability of the web with syntax starting with '

We can see, the mysql error message appeared

So we have know the database software is MYSQL and the input form is not validated. So we can inject SQL command via input box.

We try to add SQL statement that will be sent with OR command "

'OR '1'='1' -- ';

Now we have information field of tabel, these are "ID", "First Name" , "Sure Name".

Lets try to identify the number of the field, there is still other field or not.

by typing syntax 'OR '1'='1' ORDER BY 3-- ';

The focus point is in the number of field "3", is still there is the fourth field (0,1,2,3) or not..

From the error message we have known that there is no the fouth field.

Information Technology Security Blog

Popular Posts

Pages

About Me

Followers

Blog Archive

Blogger templates

Blog Archive

Blogger templates

Blogger news

Blogroll

Blogger news

Wednesday, February 1, 2012

SQL Injection in DVWA

0 komentar:

Post a Comment