Ultimate Guide to Manual SQL Injection Testing | DVWA Training

This post is a tutorial focused on explaining SQL Injection (SQLi) attacks using manual methods without relying on automated tools. The demonstration is conducted on the Damn Vulnerable Web Application (DVWA) running on Metasploitable 2 Linux. The tutorial provides an in-depth guide on identifying and exploiting SQL injection vulnerabilities step-by-step.

Offensive Security Certified Professional Study Notes and Guide

This is a 1541 pages of notes that will guide and help you prepare for and pass the OSCP exam taking into account the…

Offensive Security Web Assessor (OSWA) Study Notes

The OSWA exam is tailored for penetration testers, web application developers, security professionals, and anyone with…

Introduction to SQL Injection

• SQL Injection allows attackers to manipulate database queries by inserting malicious input.
• Common targets include login forms, search boxes, and any input fields interacting with databases.

Difference Between Manual and Automated Testing

• Automated Testing is more efficient for large-scale assessments across many targets.
• Manual Testing is preferred for detailed examination of one or two targets.

Initial Testing for SQL Injection

• Entering simple input like 1 in a vulnerable input box reveals database entries, indicating how SQL queries are constructed.
• The backend query resembles:

SELECT * FROM users WHERE id = 1;

• Changing the input value reveals different records, confirming data retrieval from a database.

Error-Based SQL Injection Detection

• Inserting a single quote (') into input fields triggers a syntax error, confirming SQL query manipulation.
• Error messages often reveal the database type (e.g., MySQL, MariaDB), aiding attackers.

Basic SQL Injection Exploit

• Injecting payloads like:

' OR 0=0 --

• manipulates the query logic, making conditions always true, thus retrieving all data from the database.

Understanding the Injection Logic

• The injected query might look like:

SELECT * FROM users WHERE username = '' OR 0=0 -- ';

• The OR 0=0 condition always evaluates to true, bypassing authentication and granting access.

Using Comments to Bypass Queries

• The -- (double dash) symbol is used to comment out the rest of the SQL query, preventing errors from unclosed statements.

Advanced SQL Injection: UNION-Based Injection

• UNION SELECT allows attackers to combine results from multiple queries.
  Example:

' UNION SELECT null, version(), user() --

• This retrieves the database version, current user, and other sensitive information.

Enumerating Database Information

• Accessing the information_schema database allows listing tables and columns.
  Example:

' UNION SELECT table_name, null FROM information_schema.tables --

• This helps attackers map the database structure.

Escalation and Further Exploitation

• After identifying vulnerabilities, attackers can escalate privileges, potentially leading to command execution or full system compromise.
• Knowing the current directory and user privileges helps in advancing the attack.

Conclusion and Recommendations

• Input Validation: Applications must properly validate and sanitize user inputs to prevent SQL injection.
• Parameterized Queries: Developers should use prepared statements and parameterized queries to avoid direct insertion of user input into SQL queries.
• Error Handling: Error messages should be generic to avoid leaking database information.
• Least Privilege Principle: Database accounts should have the minimal required permissions.

Video Walkthrough