Lesson 6: Introduction to Hacking Databases

Exercise 6.1

  1. Use Burp proxy as you learned in class to capture all data between your browser and the DVWA. Make sure that you setup your browser proxy settings to use Burp as the proxy (i.e., 127.0.0.0 port 8080 by default).
  2. Navigate to SQL Injection in the DVWA.
  3. Enter a string in the username form.
  4. Capture the request on Burp and save it to a file. For example, sql_test.txt
  5. Launch sqlmap using the file (sqlmap -r sql_test.txt --dbs).
  6. Follow the instructions in sqlmap.
  7. You should see the databases in the system. Then use the sqlmap -r sql_test.txt -D dvwa --dump-all to dump the database content.

Exercise 6.2

  1. You can do similar things with the OWASP zaproxy. Make sure that Burp is not running and launch the zaproxy.
  2. For this one, I am not going to give you a lot of instructions ;-)Try to figure out how to perform a SQL injection using zaproxy to the same DVWA.

results matching ""

    No results matching ""