SEC-REPORT: SQLI-2026

SQL Injection Assessment

A technical security audit detailing manual SQL injection testing and automated credential extraction on DVWA.

11 Total Payloads
CRITICAL Risk Rating
100% Exfiltration Rate
View Formal Audit Explore SQLi Findings
Conducted by Youssef Moataz

Executive Summary

This assessment confirms deep-seated SQL injection vulnerabilities. By combining manual logic testing with advanced automation, I achieved full data exfiltration and compromise of all user accounts within the target environment.

RISK LEVEL

CRITICAL

TARGET INFRA

Nginx 1.28.0 / MySQL 5.0.12

DATA LEAKAGE

Credentials + DB Structure

WEB SERVER

Nginx/1.28.0

DATABASE

MySQL >= 5.0.12 (MariaDB fork)

PLATFORM

PHP/8.4-mysql (DVWA)

Attack Lifecycle

1. Reconnaissance

Identified input vector id. Server headers revealed Nginx/1.28.0 backend.

2. Vulnerability Confirmation

Manual probes with ' OR 1=1 -- confirmed Boolean response shifts. SQLMap further identified Time-based (SLEEP) and UNION-based vectors.

3. Database Mapping

Exfiltrated schema info, identifying dvwa and information_schema. Mapped table relations for target data.

4. Data Exfiltration

Recovered 5 administrative records, extracted MD5 hashes, and successfully decrypted them via dictionary attack.

Technical Methodology

Manual Logic Flaws

Tested unsanitized input parameters with Boolean and Error-based payloads to map the backend database structure.

Automated Exploitation

Utilized SQLMap to automate schema enumeration and quickly dump administrative user records.

Custom Security Tooling

Developed a Python script using requests to automate heuristic vulnerability detection for custom injection verification.

Exploitation Log

┌──(kali)-[~]
└─$ sqlmap -u "..." --cookie="..." --dump

[INFO] Parameter 'id' is vulnerable (MySQL).
[INFO] Fetching entries for 'users' table.
[INFO] Starting dictionary attack (md5).
[SUCCESS] Cracked 5/5 hashes.

Time-Based Blind

Vulnerability confirmed via response delay payloads.

CRITICAL

UNION-Based Exfiltration

Full database leakage achieved via UNION results.

CRITICAL

Exfiltrated Data Set

Database dump recovered during the final exfiltration phase.

UID User MD5 Hash Status Plaintext
1admin5f4dcc3b5...CRACKEDpassword
2gordonbe99a18c42...CRACKEDabc123
313378d3533d75...CRACKEDcharley
4pablo0d107d09f...CRACKEDletmein
5smithy5f4dcc3b5...CRACKEDpassword

Technical Evidence

Step 1: Application Reconnaissance

Target Application

DVWA SQLi Module loaded.

Environment

Kali Linux toolset initialized.

Session Config

Capturing active PHP session tokens.

Manual Test

Confirming Boolean vulnerability.

Step 2: Automated Exploitation

SQLMap Init

Starting heuristic scan.

Vector Match

Blind and UNION vectors confirmed.

Database Extracted

Dumping 'users' table schema.

Hash Retrieval

Targeting MD5 credentials.

Data Dump

Passwords successfully extracted.

Step 3: Custom Python Scanner

Custom Script

Writing target scanner in Python.

Test Output

Confirming logic triggers.

Exfiltration Hook

Testing manual hash extraction.

Final Run

Successful detection logs.

Payload Reference

TypePayloadStatusResult
Boolean Bypass1' OR '1'='1VULNLogin Bypass
UNION Attack1' UNION SELECT null,version() --SUCCESSVersion Leak
Time-Based1' AND SLEEP(5) --VULNDelay Confirmed
Error-based1' AND extractvalue(1,...)SUCCESSDirect Retrieval

Detection Heuristics


def is_vulnerable(response, baseline, elapsed, payload):
    response_lower = response.lower()
    for indicator in SUCCESS_INDICATORS:
        if indicator in response_lower:
            return True, f"Found: {indicator}"
    if "sleep" in payload.lower() and elapsed > 1.5:
        return True, f"Time-delay confirmed ({elapsed:.2f}s)"
    return False, "Safe"

Remediation

Prepared Statements

Using parameterized queries to decouple user data from SQL instruction, nullifying injection vectors.

Input Sanitization

Strict type-enforcement and whitelist validation for every application entry point.