Professional Documents
Culture Documents
Xvwa Ism Lab6
Xvwa Ism Lab6
Security Management
THUNGON
LAB EXERCISE-6
Brute Force and SQL Injection on XVWA login
Aim: Perform the attacks by following the steps of the DVWA in XVWA Download
the XAMPP from the browser.
Open the terminal and install instal XAMPP
Commands: chmod +x xampp-linux-x64-8.2.12-0-installer.run
Now it will download the XAMPP and we need to setup the XAMPP in our system.
After clicking the forward button it will start downloading the XAMPP.
Now click on the MySQL Database and click Start button from the right side.
It will start MySQL Database, such that we can access the XVWA.
Now we need to download the XVWA in our system for that we need to search in browser XVWA
installation, It will show the Github repository link and click that link.
Download the XVWA from github
Copy the path and open the files and go to the following path and open the terminal there
Opt/lampp/htdocs
Now to go 127.0.0.1/phpMyAdmin
And create the database
Now enter the 127.0.0.1/xvwa in browser, now we will be able to see the content
Aim:
• Brute force attack on XVWA login
• To inject different SQL injection manually in the input field
• To use sqlmap for conduction SQL injection on the website
• To add SQLiPy extension to Burp Suite and perform SQL injection
• In the proxy section, right click the request and send it to intruder.
• Add the payload positions only to username and passwd, and remove the payload for
Cookie.
• Choose different attack types as per need. The results of the same is shown next.
i. Sniper Attack:
Payload set 1
Payload type Simple list
Payload options admin
user
xvwa
Payload set 1
Payload type Simple list
Payload options admin user
password user123
iii. Pitchfork:
Payload set 1 2
Payload type Simple list Simple list
Payload options admin 1234
user xvwa user password
Payload set 1 2
Payload type Simple list Simple list
Payload options admin password
user xvwa vulnerable
4321
Since xvwa does not have any login failed or pass page hence there will be no change in
length or status code. Therefore, we would have to manually request different results on the
browser.
Result:
Website:
The website has only 1 input field which accepts either an item code or a search keyword and displays
information.
• This will take the request and auto populate information in the SQLiPy
"Sqlmap Scanner" tab.
• In the same tab, configure the options that you want for the injection testing.
Then click the
"Start Scan" button.
• Progress and informational messages on scans and other plugin activities are
displayed in the extensions SPLiPy "SQLMap Logs" tab.
Results: