1

Hello and good evening,

i've recently tried to improve my pentesting skills and learn more about it with metasploitable 2. I am trying some things on the DVWA. For the moment, i am learning the basics of Burp Suite (more precisely i am trying to learn more about the OWASP Top ten).

But i get stuck at SQL Injections in the DVWA SQLi section. Whenever i run a command like:

1' or '0'='0

I get redirected to a page saying:

Hacking attempt detected and logged.

I've tried some evasion techniques, but none of them are working. Am i doing something wrong? Someone has an advice? I also tried the steps from: https://computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson6/index.html , but i get the same result running those commands...

(And please bear with me, i am into pentesting for 3-4 months now and first time using Burp/making SQLi attempts :) )

P.S. i found it is possible to make it work via disabling the PHPIDS, but i am interested on how to evade and bypass it too.

Mechamod
  • 11
  • 4

3 Answers3

1

Most likely your security setting is set to "high" - This can be changed on the site or through the cookie "security". Higher settings allow you to try more advanced techniques...

Once you change your cookie, try typing the following into the flied.

' or true;#

That seemed to work fine for me on low security.

#

Evading and bypassing would require using things like timing methods or blind SQLi. Best of luck.

Nathan Getty
  • 21
  • 2
0

Are you sure your security setting is set to "low" as outlined in the linked instructions? It's been a while since I touched DVWA but it looks like the message you are receiving are caused by a basic WAF.

What's likely happening is that something in your SQLi input is being flagged by some code running in the web application. The query 1' or '0'='0 is very very basic and will only work in the simplest of such challenges.

There are many ways of writing queries that will give you the same exploitation potential while also evading the WAF. You should do some more reading into SQL syntax to find another way to express your payload.

jsaigle
  • 269
  • 1
  • 5
0

Maybe try using some alternative expressions to a query that checks whether 1=1? Some examples could be:

For instances when the 'OR' keyword is being caught by WAF:

1 && 1 = 1

1 || 1=1

For instances where the equlals sign (=) is being caught by WAF:

OR 2 between 3 and 1 

or 2 > 1

or 1 < 2

For instances where integer-based comparison is triggering WAF:

OR 'lolol' = 'lol'+'ol' 

OR 'LOL' > 'L'

OR 'LOL' = N'LOL'

I've never personally used DVWA (although I did go to university with Ryan Dewhurst, lol..) but these are just a few examples that come to mind. They're performing the same check as 1=1, just via alternative methods.

MLT
  • 51
  • 4