This project involves setting up a vulnerable web application for penetration testing practice. The Damn Vulnerable Web Application (DVWA) hosted on a Metasploitable 2 virtual machine is used.
powerful x86 and AMD64/Intel64 virtualization product for enterprise as well as home use.
which is an intentionally vulnerable Linux virtual machine. Imported the Metasploitable 2 VM into VirtualBox.
Metasploitable VM by pinging a public IP address (8.8.8.8).
Metasploitable VM by running the ifconfig command in the Metasploitable terminal.
http://
SQL Injection is a code injection technique that attackers can use to exploit vulnerabilities in a web application's database query. In this project, we've used SQL Injection to extract data from the DVWA's database.
We started by testing for a SQL Injection vulnerability. We entered a single quote (') into the User ID field and observed the application's response. The application returned a SQL error message, indicating that it is vulnerable to SQL Injection.
Next, we determined the number of columns in the original SQL query. We used the ORDER BY clause and incremented the number until we got an error. We found that the original SQL query has 2 columns.
We then used the UNION SELECT statement to extract information about the database structure. We retrieved a list of all tables in the database and then a list of all columns in the users and guestbook tables.
1' UNION SELECT table_name,2 FROM information_schema.tables #
1' UNION SELECT column_name,2 FROM information_schema.columns WHERE table_name = 'guestbook' #
1' UNION SELECT column_name,2 FROM information_schema.columns WHERE table_name = 'users' #
Session cookies are critical for maintaining a user's state during navigation across a website. They are used to keep users logged in, track their activities, and deliver personalized content. However, if not handled securely, session cookies can be exploited by attackers to impersonate users and gain unauthorized access to their accounts.
In this project, we used a session cookie to maintain our session with the DVWA. The session cookie, specifically the PHPSESSID, was required to perform the Blind SQL Injection attack. We extracted the PHPSESSID from our browser's developer tools and included it in our Python script to send authenticated requests to the DVWA.
We used a blind SQL Injection technique to extract the hashed password of the 'admin' user. We iterated over each character of the password, and for each character, we iterated over a list of possible characters. We used a SQL query to check if the character at the current position matches the current character from the list. If the application's response indicated a match, we added the character to the final password.
We created a python script (sqppwdinject.py) to automate the process.
We created a Python script to automate the process of extracting the hashed password. The script sends GET requests to the DVWA server with the SQL Injection payloads and analyzes the responses to check for matches, and constructs the final password. The script uses the requests library for sending GET requests and handling the HTTP responses.