360
◾
Ethical Hacking and Penetration Testing Guide
The application returns an error indicating that the column “username”
does not exist in the
“users” table present in the dvwa database. Let’s now try injecting a column that is present in the
table.
Syntax
http://localhost/index.php?support=yes’ and (SELECT substring(concat(1,user),1,1) from dvwa.
users limit 0,1)=1--+
It results in a true statement. In a similar manner, we can try guessing other columns as well.
Extracting Data from Columns
Now comes the hard part: figuring out the contents in the column user. We would need to do it
one character at a time. Let’s take a look at the command:
Syntax
http://localhost/index.php?support=yes’ and (select mid(user,1,1) from dvwa.users limit 0,1)=’a’--+
This query is simply asking the database if the first character of the user is “a”.
We get a true response meaning that it’s indeed “a”. From the
previous UNION-based SQL
injection demonstration, we already know that it’s
admin
; however, you
can look at how time con-
suming this can be when we are enumerating one character a time. There are additional techniques
used by scanners where it compares the ascii values and asks questions to
the database if the ascii
value of the character is greater or lesser than the value we are trying to guess. In this way, scanners
can perform this task a bit faster.
