This is Damn Vulnerable Web Application (DVWA) and it’s vulnerable to SQL injection (SQLi).
Let’s begin by sending normal request
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#
Output via browser
ID: 1
First name: admin
Surname: admin
This is how the request looks like in MySQL
mysql> SELECT first_name, last_name FROM users WHERE user_id = '1';
+------------+-----------+
| first_name | last_name |
+------------+-----------+
| admin | admin |
+------------+-----------+
1 row in set (0.00 sec)
mysql>
Common way to identify SQL injection is by sending single quote '
char in the parameter.
E.g. id='
Give it a try on the url and it works.
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id='&Submit=Submit#
Web browser will display SQL error indicates that the site is vulnerable to SQLi
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1
I didn’t know how the query looks like in MySQL ..
So I’ve tried SELECT first_name, last_name FROM users WHERE user_id = ''';
but I didn’t get the same error.
Instead, I was getting '>
symbol from MySQL shell.
mysql> SELECT first_name, last_name FROM users WHERE user_id = ''';
'>
'>
'> '
->
-> ;
Empty set (0.00 sec)
mysql>
What is the right way to query id='
or user_id = '
(single quote) request in MySQL?
Go to Source
Author: Wolf