Now, we try to to SQL injection attack in DVWA
1. Information gathering, vulnerability asessment
we can test the vulnerability of the web with syntax starting with '
We can see, the mysql error message appeared
So we have know the database software is MYSQL and the input form is not validated. So we can inject SQL command via input box.
We try to add SQL statement that will be sent with OR command "
'OR '1'='1' -- ';
Now we have information field of tabel, these are "ID", "First Name" , "Sure Name".
Lets try to identify the number of the field, there is still other field or not.
by typing syntax 'OR '1'='1' ORDER BY 3-- ';
The focus point is in the number of field "3", is still there is the fourth field (0,1,2,3) or not..
From the error message we have known that there is no the fouth field.
0 komentar:
Post a Comment