Hey folks! Another great post from Dennis Antunes on blind SQL injection!
In our previous post demonstrating Blind SQL Injection vulnerabilities in DVWA, we exploited the fact that user input is dynamically inserted into the SQL query, allowing us to dump and then later crack the password hashes in the dvwa database. Just as easily, we could have gone after all the users in the mysql database as well, including the root user….

1 union select user, password from mysql.user

…properly encoded would have sufficed.

Still, one would hope that root would choose a strong password, very difficult to crack.

Sadly, by default, DVWA’s default root password is blank, so obviously, no fun there…

So I took it upon myself to change root’s password for him/her, to a very difficult (but still not impossible) password to crack.

In the following video, we will again exploit the SQL Injection vulnerabilities in DVWA this time with the help of Burp Repeater/Decoder. Using MySQL’s load_file function, we’ll browse through the application’s source code until we ultimately uncover something very interesting…

Scary easy isn’t? In an upcoming post, we’ll use root’s pilfered credentials to further establish our foothold, increasing our penetration of the application.

Posted by Dennis Antunes


Mentoring the SANS Sec 542 in Foxboro, MA beginning 4/13/2011.

Before you register email me at stratmofo at gmail dot com for a special discount code!

About the author