digininja/DVWA

SQL injection on low security only shows blank page

mohankk1297 opened this issue · 10 comments

mohankk1297 commented

I am trying to test the application with injection '1' OR '1'='1' in DVWA .
But it returns a blank page instead of maria DB Syntax error or values from Table .
Same goes with colon .

Any help is appreciated .
OS - Kali
mysql Ver 15.1 Distrib 10.11.2-MariaDB, for debian-linux-gnu (x86_64) using EditLine wrapper
PHP 8.2.5 (cli)

digininja commented
digininja commented

I've just updated the README with info on how to get the error logs and make sure you've got error displaying turned on, check those.

https://github.com/digininja/DVWA#php-configuration

https://github.com/digininja/DVWA#log-files

Essilu commented

I am having the same issue. The difficulty is set to "LOW"

I tried the injection "'" and got a blank page, while only inputting "1" returns the following:
ID: 1
First name: admin
Surname: admin

Here are the last 5 lines of the log files:

==> /var/log/apache2/access.log <==
127.0.0.1 - - [21/Jun/2023:15:02:01 -0400] "POST /dvwa/vulnerabilities/javascript/ HTTP/1.1" 200 3579 "http://localhost/dvwa/vulnerabilities/javascript/" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
127.0.0.1 - - [21/Jun/2023:15:02:05 -0400] "POST /dvwa/vulnerabilities/javascript/ HTTP/1.1" 200 3579 "http://localhost/dvwa/vulnerabilities/javascript/" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
127.0.0.1 - - [21/Jun/2023:15:05:29 -0400] "GET /dvwa/vulnerabilities/sqli/ HTTP/1.1" 200 1658 "http://localhost/dvwa/vulnerabilities/javascript/" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
127.0.0.1 - - [21/Jun/2023:15:06:14 -0400] "GET /dvwa/vulnerabilities/sqli/?id=%27&Submit=Submit HTTP/1.1" 500 295 "http://localhost/dvwa/vulnerabilities/sqli/" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
127.0.0.1 - - [21/Jun/2023:15:06:15 -0400] "GET /favicon.ico HTTP/1.1" 404 488 "http://localhost/dvwa/vulnerabilities/sqli/?id=%27&Submit=Submit" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"

==> /var/log/apache2/error.log <==
[Wed Jun 21 12:35:32.110105 2023] [php:error] [pid 3287] [client 127.0.0.1:60060] PHP Fatal error: Uncaught mysqli_sql_exception: Connection refused in /var/www/html/dvwa/dvwa/includes/dvwaPage.inc.php:513\nStack trace:\n#0 /var/www/html/dvwa/dvwa/includes/dvwaPage.inc.php(513): mysqli_connect()\n#1 /var/www/html/dvwa/vulnerabilities/brute/index.php(13): dvwaDatabaseConnect()\n#2 {main}\n thrown in /var/www/html/dvwa/dvwa/includes/dvwaPage.inc.php on line 513, referer: http://localhost/dvwa/setup.php
[Wed Jun 21 12:35:32.541107 2023] [php:error] [pid 3696] [client 127.0.0.1:60070] PHP Fatal error: Uncaught mysqli_sql_exception: Connection refused in /var/www/html/dvwa/dvwa/includes/dvwaPage.inc.php:513\nStack trace:\n#0 /var/www/html/dvwa/dvwa/includes/dvwaPage.inc.php(513): mysqli_connect()\n#1 /var/www/html/dvwa/vulnerabilities/brute/index.php(13): dvwaDatabaseConnect()\n#2 {main}\n thrown in /var/www/html/dvwa/dvwa/includes/dvwaPage.inc.php on line 513, referer: http://localhost/dvwa/setup.php
[Wed Jun 21 12:35:49.769293 2023] [php:error] [pid 3724] [client 127.0.0.1:46068] PHP Fatal error: Uncaught mysqli_sql_exception: Connection refused in /var/www/html/dvwa/dvwa/includes/dvwaPage.inc.php:513\nStack trace:\n#0 /var/www/html/dvwa/dvwa/includes/dvwaPage.inc.php(513): mysqli_connect()\n#1 /var/www/html/dvwa/login.php(8): dvwaDatabaseConnect()\n#2 {main}\n thrown in /var/www/html/dvwa/dvwa/includes/dvwaPage.inc.php on line 513
[Wed Jun 21 12:36:10.694649 2023] [php:error] [pid 3723] [client 127.0.0.1:34102] PHP Fatal error: Uncaught mysqli_sql_exception: Connection refused in /var/www/html/dvwa/dvwa/includes/DBMS/MySQL.php:13\nStack trace:\n#0 /var/www/html/dvwa/dvwa/includes/DBMS/MySQL.php(13): mysqli_connect()\n#1 /var/www/html/dvwa/setup.php(23): include_once('...')\n#2 {main}\n thrown in /var/www/html/dvwa/dvwa/includes/DBMS/MySQL.php on line 13, referer: http://localhost/dvwa/setup.php
[Wed Jun 21 15:06:14.871170 2023] [php:error] [pid 3723] [client 127.0.0.1:33476] PHP Fatal error: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''''' at line 1 in /var/www/html/dvwa/vulnerabilities/sqli/source/low.php:11\nStack trace:\n#0 /var/www/html/dvwa/vulnerabilities/sqli/source/low.php(11): mysqli_query()\n#1 /var/www/html/dvwa/vulnerabilities/sqli/index.php(34): require_once('...')\n#2 {main}\n thrown in /var/www/html/dvwa/vulnerabilities/sqli/source/low.php on line 11, referer: http://localhost/dvwa/vulnerabilities/sqli/

If you need any more informations or anything please let me know, and I'll do my best to provide them. Thanks in advance.

digininja commented
Essilu commented

Would it be possible that the db is not working if the whole app is working well nontheless? I'll look into the credentials to see if I made a mistake somewhere

digininja commented
Essilu commented

image

I just re-run the setup, everything looks good to me, am i missing something?
thanks for the quick responses btw

EDIT: I have just checked and everything is setup properly, from the username to the password.

digininja commented
Essilu commented

image

Okay, so apparently what was causing the blank page was the absence of a "1" at the start of my query, now it behaves normally. Thanks for your time

digininja commented

So if you weren't seeing the errors then you've not got error displaying turned on, check the setup and README for info.