DVWA

 

DVWA

(SQL INJECTION AND XSS)


SQL INJECTION CONFIGURATION DVWA MACHINE

First of all, you have to know SQL Injection is an attack which you must do query series or commands isn't confidents to the Server, but as the Server does't verify if the queries are true or false, you can run the command or query whichever you want because of;there isn't validations of data.
Now, let's go to run the Docker of vulnerable DVWA in Kali Linux with this command you can see in the picture below
  1. sudo docker start dvwa

In addition, we'll start Burp Suite application as you can see in the different pictures below. Burp Suite, is a proxy which we have to start in the middle between the client comunications and server which will intercept the conections between server and cliente from the web page of DVWA because of the people who will do the querys to database.
Now,after we had started in the last step Burp Suite, let’s go to do the next following:

  1. We’ve to execute ifconfig eth0 command to know what our ip is because after we’ll have in the web browser because of it will be able to go to compromised website called DVWA as you can observe at the bottom of the picture.


As we've verified what is our IP Address, the next following will be activate burp in the web browser firefox/chrome which we have to write ip in the url which is 192.168.18.226 and it will be showed as you see in the picture below.


Now, we've to ingress default username and password:
Username: admin
Password: password
And now we have to click Login to enter as you can see in the picture below.


When the process had finished we'll be able to see this webpage which is DVWA.

To finally with the set up process from the webpage and start the different queries or commands to do the  medium SQL Injection, we'll click to DVWA Security tab and we'll select medium level as you can see in the picture below and we've to click submit because of save the configuration and it'll be configurated to do the different SQL injections.

 SQL INJECTION MEDIUM LEVEL

Firstly, we've to click SQL INJECTION tab where you can see at the bottom of the picture. But the first of all, we'll be able to observe now we can observe is that the bar to make the different queries no longer appears and we only have a drop-down menu with the users that there are, so we are going to do it in another way because in the answers instead of get we get post and it complicates it a little more.


If we want to do the different queries because  we only have a drop-down menu, we'll be able to do the other way, now, we have to activate interception proxy burp and we'll click to submit option and burpsuite has to have activate the interception because we want to intercept the comunication between server and client and we will be able to change the id by this way:
  1. id=1’ or ‘1’=’1 &submit-Submit (1’ or ‘1’=’1 this mean that 1’(true) o ‘1’(true) is obtained a = true or if 1’ (false) o ‘1’(true) =‘1 always is true.

Now, l we're going to click on Forward becasue this has to be force the query and we have to drop the interception and we can see now in the picture below, so it's showing a mistake in the database called  MariaDB.

Again, we've to do the same as in the last step ; we've to activate proxy burp because we want to intercept the comunication between server and client with the query :
  1. id=1 or 1=1 &submit-Submit (1 or 1=1) this mean as 1 is true and the other element is true it 'll always be true in the query.

For example; as the function that I've made is true will be request with all of the users but in my case are 5:
  1. admin admin
  2. Gordon
  3. Hack Me
  4. Pablo Picasso
  5. Bob Smith

Again, we've to do the same as in the last step ; we've to activate  proxy burp because we want to intercept the comunication between server and client with the query:
  1. id=1 or 1=1 select null,version()# &submit-Submit (1 or 1=1 select null,version()#) this meaning as 1 is true and the other argument is true it'll always be true and also it was seen the database version with this param version()# and select null will show that an vacuum item in the database.

In addition; as the function which I've made is true it will be requested by the database with the usernames and the database version which is: 10.1.26-MariaDB.0deb9ul.

Again, we've to do the same as in the last step ; we've to activate  proxy burp because we want to intercept the comunication between server and client with the query:
  1. id=1 or 1=1 union select user(),database()# &submit-Submit (1 or 1=1 union select user(),database()# ) this meaning as 1 is true and the other is true it'll always be true and with queary union select user(),database() I will obtain the selection about different users with the database.
That is to say; as the function that I have put is true it returns me the database with the selection of all the users and the database where they are stored which is: dvwa and its localhost which is app@localhost.

Again, we've to do the same as in the last step ; we've to activate  proxy burp because we want to intercept the comunication between server and client with the query:
  1. id=1 or 1=1 union select null,table_name from information_schema.tables# &submit-Submit 1 or 1=1 union select null,table_name from information_schema.tables# this meaning as 1 es verdadero and the other true too true it'll always be true query union select null,table_name from information_schema.tables# means an empty selection of the name of the table whose information is in information_schema.tables.

That is to say; as the function I've put is true it returns me database with database selection the all of the users and different forwards, but the most important of all them is: guessbook y users because  the rest is capitalized and these two are lowercase.

Again, we've to do the same as in the last step ; we've to activate  proxy burp because we want to intercept the comunication between server and client with the query:
  1. id=1 or 1=1 union select null,column_name from information_schema.columns# &submit-Submit 1 or 1=1 union select null,column_name from information_schema.columns# this meaning significa as 1 es true and the other is true   it'll always be true and the query union select null,column_name from information_schema.columns# meaning select vacuum union in the name colum whose information is storaged in information_schema.columns.

That is to say; as the function that I have put is true it returns me the database with the selection of all the users and of the different headers but more detailed, in this case; what most calls my attention of all are: user and password because the rest is in upper case and these two in lower case, it is possible that in user the users are stored and in password the password or the hash of these passwords of the users.

Again, we've to do the same as in the last step ; we've to activate  proxy burp because we want to intercept the comunication between server and client with the query:
  1. id=1 or 1=1 union select user,password from users# &Submit-Submit 1 or 1=1 union select user,password from users# this meaning as 1 is true and the other is true it'll always be true and the query union select user,password from users# it want to select the username and password from the users.

That is to say; as the function that I have put is true it returns me the database with the selection of all the users and of the different headers, but in this case, what more it calls my attention of all is that it has extracted me so much the users as the hashes of all the 5 users which are:
  1. admin:5f4dcc3b5aa765d61d8327deb882cf99(password)
  2. gordonb:e99a18c428cb38d5f260853678922e03(abc123)
  3. 1337:8d3533d75ae2c3966d7e0d4fcc69216b(charley)
  4. pablo:0d107d09f5bbe40cade3de5c71e9e9b7(letmein)
  5. smithy:5f4dcc3b5aa765d61d8327deb882cf99(password)

In addition, I've verified all of the hashes which appears in different captures of screen in the webpage: https://md5.gromweb.com/.

XSS REFLECTED

First of all, you have to know what XSS(Cross Site Scripting) is which is an injection attack but at webserver not at database sucha as SQLi, because we should do some cripts from java where server isn't verifying in each moment if the strings or commands are well done but for there isn't data verifies.
To begin, we're going XSS Reflected option to see whether there's some vulnerable script in medium level of DVWA, let's go to write the following:
  1. What is your name? Luis and click submit
Where we're going to see if the query has been recolected by our burpsuite proxy, obviously yes it has been recolected, para verificar que nuestro proxy funciona correctamente con la aplicación de DVWA.

Moreover, let’s go to do the first script de of query to verify that webpage is vulnerable or not ,for it, we’ll use this query script:
  1. <script>alert(“Campus Internacional de Ciberseguridad”)</script>
This meaning whether is vulnerable this camp which is que va entre comillas, es decir Campus Internacional de Ciberseguridad responses an alert would become vulnerable XSS,but in my case en we haven’t had lucky, because of it won’t be able to response(pop up) as we can observe in 2 picture below.

On the other hand, in the interception proxy called burp suite we can see the request of Campus Internacional de Ciberseguridad.

XSS STORED

In this case we're going to try whatever  XSS(STORED) can do, which if it do a code true execution it will be able to be memory storage and it always if open an url of web application should be run by default.
Now, let's go to  XSS(STORED) and we'll obtain this 2 options which are:
1. Name: where you must write an script and I'm going to write the name to do the test.
2. Message: Message or  script which we'll want to execute and obtain the pop-up from vulnerable  XSS.
In my case , I've written in the  Name: Luis y and Message: This is the test2 and we want to verify if it can be executed.


And it does indeed run if we click on the Sign Guestbook option.


In addition, we're going to intercept the message wuith burpsuite and if we want to know if changes in the script and it can be able run in DVWA compromised machine of medium level.
For it, we have to do the next following:
Message field(Name):mensaje
● Message field(Message): mensaje


Now, let's go to select in the proxy called burpsuite the intercept proxy tab because we've to intercept the message between client and server, although, we've to have activate in burpsuite burp  whaich we have configurated.


Here, in the picture below we can observe as the message between client and server have been discovered by the proxy server.
txtName=mensaje&ntxMenssage=mensaje&btnSign=Sign+Guestbook



In addition, as we have intercepted the message we have to do the next steps:
  1.  We will modify the message to see if in the string there is some kind of failure to make XSS injection, and the java code will look like this: <script>alert(“Mensaje de prueba”)</script>& ntx Message=message&btnSign=Sign+Guestbook.
  1. We will remove the interception, that is to say in the option of proxy we will choose the option of off, we will lead to Forward so that it makes us the request again, and if everything has gone well we will see a pop up window with the pop up of the message that we have put that in my case is: “message test” and that means it is vulnerable to XSS. But in this case as no pop up window has appeared it means that it is not vulnerable to the attack of CrossSite Scripting (XSS).

Next, we are going to look at another type of vulnerability that is usually uncommon, which is to configure in the developer options a maximum of 100 to be able to write a script in the name and run it to see if it is vulnerable or not execute it to see if it is vulnerable or not.
For it, in the first place we will go to the 3 lines of the right of the navigator and in more tools
we will select Web Developer Tools, since if we try to write a script we cannot because it is limited to 10, as we can see it is limited to 10, as we can see in the image below.


Now, we're going to the Inspector tab and the browser in the search option should be able to search input and we will get it what you can see in the picture below.




Now; where it puts maxlength we will put it to 100 to be able to write our script that we have mentioned previously.
In my case, the script will look like this, as you can see in the image below; that is to say: “Now”, “maxlength”, “maxlength”, “maxlength” and “maxlength”.
below; that is:
● In the field of Name: we put in script that we believe that it can be vulnerable for the
DVWA page and it will look like this:
<script>alert(“Field we think is vulnerable”)</script> 2.
● In the Menssage field the message that we want to have, in my case I have put it
Test name 2.
But since there is no popup window it is not vulnerable to XSS.


XSS HITS INJECTION

XSS REFLECTED ATTACK

Firstly, as we've verified the mistakes let's go to see as we can solve it, for it, we're going to go at application source code and we'll obtain: which this whatever to say is, if we execute c
 <script>  str_replace  is be able to select as if were a vacuum value, and as we want to solve we would hav to write <SCRIPT> to drop this limitation which we have.


In addition, we're going to verify it, for it, let's go to write a letter which is para ello vamos a poner la capitalized script becuse unless this step may be don't useful  to XSS script:
<SCRIPT>alert(“DVWA Nivel medio”)</SCRIPT>



XSS STORED ATTACK

Next; we are going to perform the process of Cross Site Scripting (Stored) that is to say; the attack
is stored in the url or server and whenever you enter to that same url or server of a specific page we will see the pop-up window will appear. For it, we will make the following to see if the proxy intercepts well the connections between the server and the client we will do this:
Name Field: we will put the name for example in my case I have put Luis.
Message Field: we will put the message that we want to intercept for example in my case I have used
my case I have used the example of THIS IS TEST4


Definitely, the communication between server and cliente have been intercepted by the reverse proxy you can see in the picture below.


Now; we're going to intercept the communication but we always have to have the burp proxy which we have configured before previously configured, so that it can intercept all communications.
To do this, in both the Name and Message fields we are going to enter the word message2 so that the burpsuite can intercept it and make a few modifications to it.


En la primera imagen que tenemos abajo ya tenemos interceptada la comunicación y en la segunda
podemos ver unos cuantos cambios que hemos incluido los cuales son:
<SCRIPT>alert(“msj”)</SCRIPT> (esto lo he introducido en el campo de textname el
cual me ha interceptado la comunicación el burpsuite).




Y en la imagen que tenemos en la parte inferior podemos observar que el ataque XSS ha funcionado
eficazmente, ya que nos sale una ventana emergente.


Now; let's go to do it but we have to modify the lenght from 30 to 100 in the name field to verify if would be possible inject a XSS attack, such as first picture, as in the third  which was done in the picture in unit XSS STORED in the STORED OPTION.


Now; let's do it by simply modifying the length from 30 to 100 in the name field in order to check if it would be possible to inject an XSS attack in the first image as well as in the first image.
to verify if it would be possible to inject an XSS attack, both in the first image, as in the third image made in the
third image made in the point XSS STORED option.
To do this we will run the script shown in the image above where we have 2
fields:
1) Name: we will put the script that can be vulnerable to the XSS attack which will stay as follows.
following way: <SCRIPT>alert(“Name 2”)</SCRIPT>
2) Message: the message that we want to put in my case I have chosen Hacked.
In this case the script works perfectly because I get a popup window and that means that it is vulnerable.
that it is vulnerable.


The script shown in the image above is the same as the one we have used in the image mentioned above
above, but simply in the vulnerable option the parameter message2 is changed by HACKED.


Thank you very much for reading this article

I hope you liked and learned something new

This article has been done with ethical proposes

Good Hack

Comments

Post a Comment

Entradas Populares

INTERNAL

Image
 INTERNAL(TRYHACKME) First of all, let's go execute nmap command to identify alives ports and version with this host 192.168.88.6 as you can see below. Key open ports and services include: Web Servers: Port 80 (HTTP):  Running  Apache2 Ubuntu Default Page . It supports  OPTIONS ,  TRACE  (flagged as potentially risky),  GET ,  HEAD , and  POST  methods. The webpage title is " INTERNAL ". SSH Protocol Port 22 (SSH): Running Linux . ┌──(root㉿kali)-[/home/luis/Descargas] └─# nmap -n -Pn -p- --min-rate 5000 -sC 10.10.216.78 -vvv Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-07 12:06 CEST NSE: Loaded 126 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed Initiating SYN Stealth Scan at 12:06 Scanning 10.10.216.78 [65535 ports] Discove...
Read more »

TOR WEB BROWSER

Image
  TOR WEB BROWSER TOR INSTALLATION First of all; we're going to this link from the oficial webpage: https://www.torproject.org/es/download/   where we have to download this version our laptop, Windows and Linux but in my case I've had to download for Windows 10. When the program is installed we will press execute and we'll follow step by step:   We'll open and we'll see this image where you have to select the language and select ok to continue the instal l ation. In addition, we'll select the location wherever you want install the program, but in my case I prefer the default location and you'll able to select wherever you want. Now, we will be started the installation process and when it finished you will be able to see the picture below: TOR CONNECT If the process has been successful, you will be able to connect with the connect button which you can observe in both pictures below: ADD A BRIDGE ...
Read more »

activedirectory

Image
ACTIVEDIRECTORY (TRYHACKME) First of all, let’s go to execute nmap toolkit and we'll be able to start the enumeration of the ports as you can see below with this command: sudo nmap -n -Pn -p- --min-rate 5000 10.10.135.154 -vvv -sC -sV This revealed several open TCP ports with associated services, including: DNS (53),  HTTP  (80),  Kerberos (88),  RPC (135),  NetBIOS-SSN (139),  SMB (445),  RDP (3389),  WS-Management (5985)  LDAP (389, 636, 3268, 3269) Moreover, service and NSE script detection provided valuable information about the services running on these ports, such as IIS 10.0, Microsoft Windows Kerberos , Active Directory LDAP , and Microsoft Terminal Services . The SSL/TLS certificate information on port 3389 indicated the common name AttacktiveDirectory.spookysec.local, reinforcing the target as an Active Directory server. rdp-ntlm-info also provided details about the domain (THM-AD) and computer name (ATTACKTIVEDIREC) as you can se...
Read more »

PICKLE RICK

Image
  PICKLE RICK I'm going to realize the resolution of the machine Level Easy from Tryhackme called  Pickle Rick  which is a machine so easy to realize. First of all,  we can observe that in the picture bellow we have some inforamtion and I'm going to execute control +u  and we can see in the second picture below that we've obtained a  Username. I'm going to gathering information about machine and I have to enter in the Linux terminal and I must introduce this command which you canobserve in the picture below:   gobuster dir -u(url) http://10.10.99.188/ -w(password dictionary)  /usr/share/wordlist/dirb/common.txt -x (formato que quereos que busque) .txt*, .php, .login,  In this case, we can observe that scan has discovered this 4 webpages: /assests /denied.php /index.html /login.php /robots.txt Now, we can see such as the web page from /robots.txt   it seems the password in the picture below. Now, we've discovered this login web page...
Read more »

Metasploit Framework

Image
 METASPLOIT FRAMEWORK USE TO  AUXILIARY MODULE FROM METASPLOIT First of all, I have used the auxiliary modules from Metasploit-Framework which could allow me Scanning, see ports, SO version, vulnerability in applications etc, where you can see at the bottom of the picture if  I use this module whose name is: auxiliary/scanner/discovery/arp_sweep  (To verify the IPs listening in the network) Now, we can observe that when I have selected in the auxiliary module I have had to do this set up  that we can observe in the second page below: INTERFACE : This I've set up the network interface that in my case is the eth0 interface. RHOSTS :This I've set up the IP Address which I am finding out that in my case is 192.168.100.0/24 (all the IP Address from network that could be possible which I am analyzing). THREADS : Are the threads; it's the fast  that I want to analyze the IP Addresses but in my case there are 15 threads because I want to analize as fast as possible...
Read more »

HOSTING

Image
HOSTING First of all, let's go to hosting machine from active directory, for it  using arp-scan to discover active hosts on the local network, identifying 192.168.88.8 as you can see in below. ┌──(kali㉿kali)-[~] └─$ sudo arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:43:73:bc, IPv4: 192.168.88.5 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.8 08:00:27:98:d4:bf PCS Systemtechnik GmbH 192.168.88.9 00:e0:4c:69:66:4a REALTEK SEMICONDUCTOR CORP. 3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.075 seconds (123.37 hosts/sec). 3 responded ┌──(kali㉿kali)-[~] └─$ ping -c1 192.168.88.8 PING 192.168.88.8 (192.168.88.8) 56(84) bytes of data. 64 bytes from 192.168.88.8: icmp_seq=1 ttl=128...
Read more »

LOVE

Image
BUSCALOVE First of all, I am going to do this machine from cybersecurity labs called BuscaLove which is easy Level. For it, let’s go to open Linux terminal and we have to write the command when we can see in the picture below. cd Descargas In addition, we have to depress the unzip file whose name’s buscalove.zip you can see in the picture below. Now we have to deploy the vulnerability machine whose command is sudo bash auto_deploy.sh buscalove.tar we can see in the picture below. On the other hand, to start the attack at virtual machine, we must verify if the attacker machine is in the same range of IP Address and we have to introduce this command which is ping -c 3 172.18.0.2 we can see in the picture below. As I,ve just seen the IP Address it’s in the same range of my IP Address we have to introduce the command with nmap tool which is nmap -n -Pn 172.18.0.2 -p- - -min-rate 4000 -vvv( here you can see in this picture the scanner) but I’ve got it 2 ports: 22: open ssh 80: open http No...
Read more »

CHANGE MACHINE

Image
CHANGE  First of all, let's go to hosting machine from active directory, for it  using  arp-scan  to discover active hosts on the local network, identifying  192.168.88.8   as you can see in below . ┌──(root㉿kali)-[/home/luis] └─# arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:4d:8a:0f, IPv4: 192.168.88.6 WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.4 00:e0:4c:97:01:a7 (Unknown) 192.168.88.5 00:d8:61:fa:c0:4a (Unknown) 192.168.88.7 08:00:27:b1:ae:9f (Unknown) 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.848 seconds (138.53 hosts/sec). 4 responded Now, let's go execute nmap command to identify alives ports and version with this host  192.168.88...
Read more »