Complete Guide to Setting Up DVWA and Executing Basic SQL Injection

Introduction

In the ever-evolving landscape of cybersecurity, understanding vulnerabilities and learning to defend against them is crucial. In this comprehensive guide, we’ll walk you through the process of setting up Damn Vulnerable Web App (DVWA) and executing a basic SQL injection attack. By following these steps, you’ll gain practical experience in identifying and mitigating SQL injection vulnerabilities.

Step 1: Installing and Setting Up DVWA

  1. Download DVWA from GitHub: Open your terminal and enter the following command to clone the DVWA repository:

    git clone https://github.com/ethicalhack3r/DVWA.git
  2. Navigate to the DVWA directory: Move into the DVWA directory using the following command:

    cd DVWA
  3. Configure DVWA: Make a copy of the configuration file and rename it:

    cp config/config.inc.php.dist config/config.inc.php

    Edit the config/config.inc.php file and set your database credentials.

  4. Start a local web server: Launch a PHP development server:

    php -S 127.0.0.1:8080
  5. Access DVWA: Open your web browser and go to http://127.0.0.1:8080/. Log in using the default credentials:

    Username: admin
    Password: password

Or, simply visit https://www.kali.org/tools/dvwa/ to setup DVWA in Kali.

Step 2: Executing a Basic SQL Injection Attack

  1. Navigate to the “SQL Injection” section: Once logged in, select the “SQL Injection” tab from the DVWA menu.

  2. Choose a security level: Choose the desired security level (e.g., low) from the drop-down menu. Lower levels are easier for testing and learning purposes.

  3. Enter input and capture the URL: Enter a value (e.g., ‘test’) in the input field and click “Submit.” Capture the URL from the address bar, which should look like:

    http://127.0.0.1:8080/vulnerabilities/sqli/?id=test&Submit=Submit
  4. Modify the URL for injection: Manipulate the URL by modifying the id parameter’s value with the following payload:

    ' OR '1'='1

    The modified URL will be:

    http://127.0.0.1:8080/vulnerabilities/sqli/?id='+OR+'1'%3D'1&Submit=Submit
  5. Execute the SQL injection: Press “Enter” to submit the modified URL. If successful, you might see data displayed on the page. This demonstrates the vulnerability in the application.

Step 3: Testing with SQLMap

  1. Install SQLMap: Install SQLMap using your package manager or from the official repository:

    sudo apt-get install sqlmap
  2. Run SQLMap: Execute SQLMap on the DVWA URL: bash sqlmap -u "http://127.0.0.1:8080/vulnerabilities/sqli/?id=test&Submit=Submit"

  3. Perform Automated Tests: SQLMap will analyze the URL for vulnerabilities and suggest tests to perform.

  4. Exploit Vulnerabilities: Use SQLMap’s interactive interface to exploit vulnerabilities found.

Conclusion

By following this guide, you’ve gained practical experience in setting up DVWA and executing a basic SQL injection attack. However, it’s essential to remember that ethical hacking should be performed only in controlled environments and with proper authorization. These exercises help us understand vulnerabilities better so that we can take necessary measures to secure our applications and systems.

Remember, the knowledge gained from these exercises can be used to build stronger defenses against cyber threats. Stay curious, keep learning, and always prioritize ethical cybersecurity practices.

If you found this guide helpful, consider sharing it with others who are interested in cybersecurity. Stay tuned for more educational content on our channel as we explore various aspects of the ever-evolving world of cybersecurity.