SQL Injection - Low


Note This write-up is still in its early development phase.

Intro TBD. Note Be sure to set the DVWA Security setting to Low before starting the challenge.

About SQL Injection

According to the OWASP definition, a SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.

Information Gathering & Analysis

Conclusion

Resources

http://www.fuzzysecurity.com/tutorials/4.html https://pentestlab.blog/2012/11/24/owning-the-database-with-sqlmap/ https://pentestlab.blog/2012/09/18/sql-injection-exploitation-dvwa/ http://www.computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson6/index.html http://www.computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson7/index.html http://www.computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson15/index.html https://www.owasp.org/index.php/SQL_Injection