Exploiting DVWA

Steps for SQL INJECTION,CROSS-SCRIPTING,FILE UPLOAD:

• Turn on metasploitable and kali linux simultaneously.
• Login as super user with the command sudo su.
• To scan the IP address nbtscan 192.168.56.102/24.

• After finding the IP address of metasploitable ,enter the IP address in the firefox.Then select DVWA.

• Open the link DVWA we will find login page .

• Enter username as admin and password as password & login.

• Once login we will find DVWA page.

• Now go to DVWA security and change security level high to low.

• Select SQL Injection and type User ID :1”or”1=”1 and submit.We will get the username.

• Select SQL Injection(Blind) and type User ID :1”or”1=”1 and submit. We will get the username and other additional information.

• Select the xss reflected and in the user’s name field type the script and submit.We will get the prompt having the alert message contained within it.

• Select vulnerability:stored cross site scripting(xss).In name field type any text and in the message field type<script>prompt(“enter credentials”)</script>.A prompt will appear asking for the details to enter.

• Select the option upload you can see that the file to upload is specified as it should the image if it takes any other format means the website is vulnerable so now try to upload the .txt file and upload it . It will take the file next you can see the message saying uploaded successfully copy the path leaving the root and paste it in the browser you will enter the index page of the database which should

not be visible.