DISRUPTING DATABASES
Get your first taste of breaking something in the form of a deeply vulnerable web application.
In the past we’d have directed you to hack by setting up the Metasploitable virtual machine and attacking it. We’d encourage you to do that too, (you’ll find all the information you need at https://github.com/ rapid7/metasploitable3). But this time around we’re going to do something different. The Damn Vulnerable Web Application (DVWA) is exactly what you might expect: it’s a PHP application riddled with security holes. It requires a LAMP (Linux Apache MySQL PHP) stack to run, and it’s certainly not the sort of thing you want to deploy on an internet-facing server. So rather than set all that up from scratch, we’ll cheat and use the Docker image. Just follow the simple three-step guide (below). We can’t get enough of Portainer, so if you’re similarly enamoured with this container management solution, by all means use it to do the first step of the step-by-step guide.
Before you do that, though, let’s talk about Structured Query Language (SQL). It’s how you interact with databases. On Linux this is usually to a MySQL or MariaDB database. Such databases often sit behind web servers running PHP applications (such as Wordpress). And very occasionally those databases or the applications relying on them are broken because someone figures out a way to inject some rogue SQL, often by typing something peculiar-looking into a web form. The classic example is to input something like: ‘; DROP TABLE users;
into a form, and have the database suddenly forget about all the users of the application. This generally doesn’t work anywhere now, but when it did, it did so because behind the scenes that form sent its input (unchecked!) to a query of the form: $sql = “SELECT username from users where username = ‘$user’;” If we substitute our malicious entry above into the $user variable above, and reformat things slightly, our query becomes: SELECT username from users where username = ‘’; DROP TABLE users; ‘;
“The Damn Vulnerable Web Application (DVWA) is exactly what you might expect: it’s a PHP application riddled with security holes. It requires a LAMP (Linux Apache MySQL PHP) stack to run, and it’s certainly not the sort of thing you want to deploy on an internet-facing server.”