Scribd Logo
Upload

Welcome to Scribd!

  • 88 views

    4 - SQL Injection and Password Cracking Attacks

    Uploaded by

    Afrah Hassan
    1. The document provides instructions for setting up DVWA (Damn Vulnerable Web Application), a platform for testing SQL injection and password cracking attacks. It describes downloading required software, configuring the platform, and performing sample attacks like displaying database users and contents of files. 2. The second part instructs on using SQL injections on DVWA to display lists of users and passwords stored in the database table. It describes using John the Ripper software to crack hashed passwords recovered from the database. 3. Finally, it prompts to change DVWA's security level to medium and high to explore how SQL injections could still be used to list users and what changes are made in the source code.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    4 - SQL Injection and Password Cracking Attacks

    Uploaded by

    Afrah Hassan
    88 views5 pages
    1. The document provides instructions for setting up DVWA (Damn Vulnerable Web Application), a platform for testing SQL injection and password cracking attacks. It describes downloading required software, configuring the platform, and performing sample attacks like displaying database users and contents of files. 2. The second part instructs on using SQL injections on DVWA to display lists of users and passwords stored in the database table. It describes using John the Ripper software to crack hashed passwords recovered from the database. 3. Finally, it prompts to change DVWA's security level to medium and high to explore how SQL injections could still be used to list users and what changes are made in the source code.

    Original Description:

    Original Title

    4- SQL Injection and Password Cracking Attacks

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    1. The document provides instructions for setting up DVWA (Damn Vulnerable Web Application), a platform for testing SQL injection and password cracking attacks. It describes downloading required software, configuring the platform, and performing sample attacks like displaying database users and contents of files. 2. The second part instructs on using SQL injections on DVWA to display lists of users and passwords stored in the database table. It describes using John the Ripper software to crack hashed passwords recovered from the database. 3. Finally, it prompts to change DVWA's security level to medium and high to explore how SQL injections could still be used to list users and what changes are made in the source code.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    88 views5 pages

    4 - SQL Injection and Password Cracking Attacks

    Uploaded by

    Afrah Hassan
    1. The document provides instructions for setting up DVWA (Damn Vulnerable Web Application), a platform for testing SQL injection and password cracking attacks. It describes downloading required software, configuring the platform, and performing sample attacks like displaying database users and contents of files. 2. The second part instructs on using SQL injections on DVWA to display lists of users and passwords stored in the database table. It describes using John the Ripper software to crack hashed passwords recovered from the database. 3. Finally, it prompts to change DVWA's security level to medium and high to explore how SQL injections could still be used to list users and what changes are made in the source code.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 5

    1|Page

    SQL Injection and Password Cracking


    Attacks
    Prerequisites
    1- Go to https://www.easyphp.org/ and download the easy php DEVSERVER:

    2- Install the DEVSERVER easy php and UNCHECK the ‘Launch easyPHP Devserver’

    3- Edit the httpd.conf file in ‘EasyPHP-Devserver-17\eds-


    binaries\httpserver\apache2425vc11x86x201120184207\conf’ folder
    2|Page

    4- Change the port from 80 to 8088:

    5- Download the DVWA from http://www.dvwa.co.uk/ unzip the file and put the folder
    inside a newly created folder in ‘EasyPHP-Devserver-17\eds-www’ called ‘dvwa’
    3|Page

    6- Go to ‘EasyPHP-Devserver-17\eds-www\dvwa\config’ and change the name of


    ‘config.inc.php.dist’ to ‘config.inc.php’ and open the file in notepad ++

    7- Change the db_password to ‘

    8- Right-click on EasyPHP icon on taskbar, Open Dashboard

    9- Run Http server, and Database Server


    4|Page

    10- Click on Portal Directory, then click dvwa

    11- Click on create database button at the bottom, and click on login after database is created.
    After starting dvwa (login: admin and password: password) change its security level to
    "low" and try SQL injection attacks (SQL Injection menu).

    Attacks on DVWA
    SQL injection is often used by hackers to exploit security vulnerabilities in your software to
    ultimately gain access to your site’s database. In this part of the lab, we will attack the DVWA
    platform with SQL injections. DVWA allows security administrators to test their knowledge
    related to web application attacks.
    To do:
    1. Display the list of database users.
    2. Display the contents of the notes.txt file located on c: /
    3. Display the logins and passwords of the users stored in the table.
    4. The passwords thus recovered by SQL injections are “hashed” (Secure Hash). To be able
    to determine their values in clear, we will use the John the Ripper software (you can
    download it or use it in the VM kali 2020)

    Create Password Hash File, copy username and password to a notepad file. Now you
    should see the user admin and the password hash separated by a ":" on the same line.
    5|Page

    Cut the username and password combinations for other users and paste in this file as well.
    Check if the passwords are broken.
    Try to login with cracked user account.
    5. Now change the security level of the DVWA platform and put it in medium. How would
    it be possible to list the list of users by an SQL injection?

    6. Now set the security level to High and check the source code of the corresponding page.

    You might also like