1 union select user, password from mysql.user...properly encoded would have sufficed.
Still, one would hope that root would choose a strong password, very difficult to crack.
Sadly, by default, DVWA's default root password is blank, so obviously, no fun there...
So I took it upon myself to change root's password for him/her, to a very difficult (but still not impossible) password to crack.
In the following video, we will again exploit the SQL Injection vulnerabilities in DVWA this time with the help of Burp Repeater/Decoder. Using MySQL's load_file function, we'll browse through the application's source code until we ultimately uncover something very interesting...
Scary easy isn't? In an upcoming post, we'll use root's pilfered credentials to further establish our foothold, increasing our penetration of the application.
Posted by Dennis Antunes
Mentoring the SANS Sec 542 in Foxboro, MA beginning 4/13/2011.
Before you register email me at stratmofo at gmail dot com for a special discount code!