Penetrations Testing Report of DVWA 1744005491
Penetrations Testing Report of DVWA 1744005491
Testing Report
www.dvwa.com
Help:
A SQL injection attack consists of insertion or "injection" of a SQL query via the
input data from the client to the application. A successful SQL injection exploit
can read sensitive data from the database, modify database data
(Insert/Update/Delete), execute administration operations on the database
(such as shutdown the DBMS), recover the content of a given file present on
the DBMS file system and in some cases issue commands to the operating
system. SQL injection attacks are a type of injection attack, in which SQL
commands are injected into data-plane input in order to effect the execution of
predefined SQL commands.
Key Findings:
1. SQL Injection :
• Identified critical SQL injection vulnerabilities in multiple modules.
• Demonstrated the potential for unauthorized access to sensitive
data.
. The 'id' variable within this PHP script is vulnerable to SQL injection
3. put the query that will show all the username , password from users table.
Payload: 1' Union select user,password from users #
4. We Enter the Union query for search the user and password from the users
table database
Risks: The identified vulnerabilities pose a significant risk to the confidentiality,
integrity, and availability of the DVWA application. If exploited, these
vulnerabilities could lead to unauthorized access, data breaches, and potential
service disruptions.
Level: Low
Vulnerability: XSS Reflected.
Step 1.
1. first find all the parameter which is vulnerable .
2. Both location have same name parameter vulnerable but at different
locations .
Poc:
4. As we can see both Parameter are vulnerable with the XSS Reflected
Vulnerability.
5. Also , we see that there is no firewall as well as any particular type of
filter to bypass the payload.