Level 1:
- Open up the DVWA web application in a browser and log in with the default
credentials (username: admin, password: password). - Navigate to the “SQL Injection” section of the application.
- Try entering a single quote (‘) in the input field and submitting the form. Observe the
resulting error message. - Use the sqlmap tool in Kali to exploit the injection vulnerability by running the
following command: sqlmap -u “http://[DVWA
IP]/vulnerabilities/sqli/?id=1&Submit=Submit#” –data “id=1&Submit=Submit” -p id —
level=1 - Observe the results of the command, including any extracted data from the database.
Level 2:
- Repeat steps 1-3 from Level 1.
- Use the sqlmap tool in Kali to exploit the injection vulnerability by running the
following command: sqlmap -u “http://[DVWA
IP]/vulnerabilities/sqli/?id=1&Submit=Submit#” –data “id=1&Submit=Submit” -p id —
level=2 - Observe the results of the command, including any extracted data from the database.
Level 3:
- Repeat steps 1-3 from Level 1.
- Use the sqlmap tool in Kali to exploit the injection vulnerability by running the
following command: sqlmap -u “http://[DVWA
IP]/vulnerabilities/sqli/?id=1&Submit=Submit#” –data “id=1&Submit=Submit” -p id —
level=3 - Observe the results of the command, including any extracted data from the database.
Note:
● In this exercise, you should replace [DVWA IP] with the actual IP address or
hostname of the machine running DVWA.
● It is always recommended to perform these kind of exercise in a controlled
environment and not on a production systems.
Also it is important to mention that, SQL injection is a common and dangerous web
application vulnerability. It occurs when user input is not properly sanitized and is inserted
into a SQL query, which can then be used to extract sensitive data or even take control of
the database. The best way to prevent SQL injection is to use prepared statements, which
automatically handle escaping and sanitizing user input.
