In the ever-evolving landscape of cybersecurity, understanding vulnerabilities and learning to defend against them is crucial. In this comprehensive guide, we’ll walk you through the process of setting up Damn Vulnerable Web App (DVWA) and executing a basic SQL injection attack. By following these steps, you’ll gain practical experience in identifying and mitigating SQL injection vulnerabilities.
Download DVWA from GitHub: Open your terminal and enter the following command to clone the DVWA repository:
git clone https://github.com/ethicalhack3r/DVWA.git
Navigate to the DVWA directory: Move into the DVWA directory using the following command:
cd DVWA
Configure DVWA: Make a copy of the configuration file and rename it:
cp config/config.inc.php.dist config/config.inc.php
Edit the config/config.inc.php
file and set your
database credentials.
Start a local web server: Launch a PHP development server:
php -S 127.0.0.1:8080
Access DVWA: Open your web browser and go to http://127.0.0.1:8080/. Log in using the default credentials:
Username: admin
Password: password
Or, simply visit https://www.kali.org/tools/dvwa/ to setup DVWA in Kali.
Navigate to the “SQL Injection” section: Once logged in, select the “SQL Injection” tab from the DVWA menu.
Choose a security level: Choose the desired security level (e.g., low) from the drop-down menu. Lower levels are easier for testing and learning purposes.
Enter input and capture the URL: Enter a value (e.g., ‘test’) in the input field and click “Submit.” Capture the URL from the address bar, which should look like:
http://127.0.0.1:8080/vulnerabilities/sqli/?id=test&Submit=Submit
Modify the URL for injection: Manipulate the URL
by modifying the id
parameter’s value with the following
payload:
' OR '1'='1
The modified URL will be:
http://127.0.0.1:8080/vulnerabilities/sqli/?id='+OR+'1'%3D'1&Submit=Submit
Execute the SQL injection: Press “Enter” to submit the modified URL. If successful, you might see data displayed on the page. This demonstrates the vulnerability in the application.
Install SQLMap: Install SQLMap using your package manager or from the official repository:
sudo apt-get install sqlmap
Run SQLMap: Execute SQLMap on the DVWA URL:
bash sqlmap -u "http://127.0.0.1:8080/vulnerabilities/sqli/?id=test&Submit=Submit"
Perform Automated Tests: SQLMap will analyze the URL for vulnerabilities and suggest tests to perform.
Exploit Vulnerabilities: Use SQLMap’s interactive interface to exploit vulnerabilities found.
By following this guide, you’ve gained practical experience in setting up DVWA and executing a basic SQL injection attack. However, it’s essential to remember that ethical hacking should be performed only in controlled environments and with proper authorization. These exercises help us understand vulnerabilities better so that we can take necessary measures to secure our applications and systems.
Remember, the knowledge gained from these exercises can be used to build stronger defenses against cyber threats. Stay curious, keep learning, and always prioritize ethical cybersecurity practices.
If you found this guide helpful, consider sharing it with others who are interested in cybersecurity. Stay tuned for more educational content on our channel as we explore various aspects of the ever-evolving world of cybersecurity.