DVWA: Instructions for performing SQL Injection attack testing on DVWA Web server system


This article shows you how to perform an XSS Injection attack test on a Web server system containing DVWA vulnerabilities to understand more about the attack method and thereby draw solutions to overcome the attack

Damn Vulnerable Web Application (DVWA) is a PHP/MySQL source code application that bundles web application security logic errors in PHP source code. Logical errors when programming can be applied to all kinds of programming languages ​​to reduce the possibility of creating security holes from careless programming thinking. The main goal of DVWA is to create a legitimate hacking/pentest practice environment. Help web application developers understand more about safe and secure programming. Besides, DVWA also provides teachers/students with methods to learn and practice basic and advanced web application security attacks

Here I use the Sophos XGS firewall appliance


How to configure

  • Install Web Server that contains vulnerabilities (here I use DVWA)
  • To install DVWA Server, see this article

Configure NAT for DVWA Web server using port 80 and try SQL Injection attack

  • Login to Sophos XGS firewall device with Admin account
  • Create Host for DVWA Web server -> Go to Hosts and services
  • Enter name for Server
  • In IP version: Choose IPv4
  • In Type: Choose IP
  • In IP address: Enter IP address of DVWA web server
  • Click Save
  • Got to Rules and policies -> Choose NAT rules tab -> Click Add NAT rule -> Choose Server access assistant (DNAT)
  • In Internal server IP address -> Choose Host web server DVWA that was created before -> Click Next
  • In Public IP address -> Choose network port with IP WAN that you want to public web server DVWA -> Click Next
  • In Services -> Choose HTTP and HTTPS service -> Click Next
  • In External source networks and devices -> Choose Any -> Click Next
  • Click Save and finish
  • Check access to web server DVWA
  • SQL Injection attack on DVWA server
  • Choose SQL Injection (Blind)
  • Enter number 1 -> Click Submit
  • Then we try to enter the attack script into SQL of the web server

1′ union select user,password from users–+&Submit=Submit#

  • Then the data in the database will be exploited

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.