Jump to content

Cannot get SQL injection to work on DVWA


KaliGuy
 Share

Recommended Posts

I've been searching high and low for a solution and can't find one.  Inputting a ' or 1', for example leads me to a blank page on low security setting.  I'm using PHP 8.2 and apache2, and have DVWA set up in Kali Linux.  Please help and list file paths in responses, I don't have a lot of linux experience.   

There is mention of configuring an .htaccess file on the github DVWA page, but I cannot find this file and I'm not sure if this is even the solution.  

Thank you!

Link to comment
Share on other sites

Assuming you are talking about error based rather than blind SQLi, if you put a single quote in the input box you should get an error. If you don't, it means your setup is broken.

Nothing to do with .htaccess.

I'm not going to respond with file paths, I'm going to tell you to do some research and work out where the Apache logs are and then watch them at the time you try the attack. See if there is an error in them which will help work out what is going wrong. If you want to learn security, you have to learn how to do research and debug things like this, a very quick google will tell you where the logs are.

And please don't post the same question in multiple areas, duplicates will be removed.

Link to comment
Share on other sites

13 hours ago, digininja said:

Assuming you are talking about error based rather than blind SQLi, if you put a single quote in the input box you should get an error. If you don't, it means your setup is broken.

Nothing to do with .htaccess.

I'm not going to respond with file paths, I'm going to tell you to do some research and work out where the Apache logs are and then watch them at the time you try the attack. See if there is an error in them which will help work out what is going wrong. If you want to learn security, you have to learn how to do research and debug things like this, a very quick google will tell you where the logs are.

And please don't post the same question in multiple areas, duplicates will be removed.

I appreciate the info about Apache logs.  I didn't find this possible solution anywhere during my searching.  I hope this resolves it.   so far, this is the Linux related issue I have never found a solution for through research.  

Link to comment
Share on other sites

Did you try googling:

where are apache logs

I just tried and there are loads of results.

What other research have you done?

  • Upvote 1
Link to comment
Share on other sites

Posted (edited)

I agree with ninja. I've seen so many people coming into here asking very simple questions which could be solved a google search..

If I didn't have my own restraints on posting links to let me google that for you..

Edited by Jtyle6
  • Like 1
Link to comment
Share on other sites

Ok, I entered the command sudo tail -100 /var/log/apache2/error.log and got this when I tried SQLi single quote injection on low security setting in DVWA:

 

[Sun May 29 19:20:35.288834 2022] [mpm_prefork:notice] [pid 4676] AH00163: Apache/2.
4.53 (Debian) configured -- resuming normal operations
[Sun May 29 19:20:35.288888 2022] [core:notice] [pid 4676] AH00094: Command line: '/
usr/sbin/apache2'
[Sun May 29 19:21:03.062986 2022] [php:error] [pid 4678] [client 127.0.0.1:34482] PH
P Fatal error:  Uncaught mysqli_sql_exception: You have an error in your SQL syntax;
check the manual that corresponds to your MariaDB server version for the right synt
ax to use near ''''' at line 1 in /var/www/html/DVWA/vulnerabilities/sqli/source/low
.php:11\nStack trace:\n#0 /var/www/html/DVWA/vulnerabilities/sqli/source/low.php(11)
: mysqli_query()\n#1 /var/www/html/DVWA/vulnerabilities/sqli/index.php(34): require_
once('...')\n#2 {main}\n  thrown in /var/www/html/DVWA/vulnerabilities/sqli/source/l
ow.php on line 11, referer: http://127.0.0.1/DVWA/vulnerabilities/sqli/
[Sun May 29 19:21:25.380202 2022] [php:error] [pid 4682] [client 127.0.0.1:34484] PH
P Fatal error:  Uncaught mysqli_sql_exception: You have an error in your SQL syntax;
check the manual that corresponds to your MariaDB server version for the right synt
ax to use near ''''' at line 1 in /var/www/html/DVWA/vulnerabilities/sqli/source/low
.php:11\nStack trace:\n#0 /var/www/html/DVWA/vulnerabilities/sqli/source/low.php(11)
: mysqli_query()\n#1 /var/www/html/DVWA/vulnerabilities/sqli/index.php(34): require_
once('...')\n#2 {main}\n  thrown in /var/www/html/DVWA/vulnerabilities/sqli/source/l
ow.php on line 11, referer: http://127.0.0.1/DVWA/vulnerabilities/sqli/
[Sun May 29 19:21:29.869674 2022] [php:error] [pid 4680] [client 127.0.0.1:34486] PH
P Fatal error:  Uncaught mysqli_sql_exception: You have an error in your SQL syntax;
check the manual that corresponds to your MariaDB server version for the right synt
ax to use near ''''' at line 1 in /var/www/html/DVWA/vulnerabilities/sqli/source/low
.php:11\nStack trace:\n#0 /var/www/html/DVWA/vulnerabilities/sqli/source/low.php(11)
: mysqli_query()\n#1 /var/www/html/DVWA/vulnerabilities/sqli/index.php(34): require_
once('...')\n#2 {main}\n  thrown in /var/www/html/DVWA/vulnerabilities/sqli/source/l
ow.php on line 11, referer: http://127.0.0.1/DVWA/vulnerabilities/sqli/

 

 

I have no idea what to make of this....


 

Link to comment
Share on other sites

On 5/24/2022 at 2:15 AM, digininja said:

Did you try googling:

where are apache logs

I just tried and there are loads of results.

What other research have you done?

I tried different versions of php.  tried installing DVWA from different sources.   I found mantion on the github page that the problem could be with the .htaccess file but cannot locate this particular .htaccess file anywhere (and not sure if this will solve the problem either):

 

If you are using PHP v5.2.6 or above, you will need to do the following in order for SQL injection and other vulnerabilities to work.

In .htaccess:

Replace:

<IfModule mod_php5.c>
    php_flag magic_quotes_gpc off
    #php_flag allow_url_fopen on
    #php_flag allow_url_include on
</IfModule>

With:

<IfModule mod_php5.c>
    magic_quotes_gpc = Off
    allow_url_fopen = On
    allow_url_include = On
</IfModule>
Link to comment
Share on other sites

The error is there as expected so all is working correctly. Send a screenshot of what you get when you put in a single quote.

Asi said a few replies back, it is nothing to do with the htaccess file, that was for PHP 5.x

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...