Manual SQL Injection: bWAPP & DVWA

A manual practice guide for exploiting SQL Injection vulnerabilities using UNION statements on bWAPP and an unhex() evasion technique on DVWA. UNION-based injection is a powerful technique that allows an attacker to append the results of their own malicious query to the results of the legitimate database request.

1. bWAPP — UNION-based Injection

Log into bWAPP using the default credentials and select the SQL Injection (Search/GET) module.

Step 1: Finding the number of columns

For a UNION operation to succeed, the injected query must return the exact same number of columns as the original query. We increment the numbers until the page stops throwing a syntax error.

' union select 1,2,3,4,5,6,7#

Step 2: Enumerating the Database

Once we identify the columns reflected on the screen, we substitute them with SQL functions like database() to reveal our current schema. Then, we query information_schema.tables (MySQL's meta-database) using group_concat() to output all table names into a single readable string.

' union select 1,2,3,database(),5,6,7#
' union select 1,2,3,4,group_concat(table_name),6,7 FROM information_schema.tables WHERE table_schema=database()#

Step 3: Extracting Credentials

After pinpointing the users table, we query its contents directly. Passwords are usually hashed (SHA1 in this case). You can crack them using wordlists on sites like md5decrypt.net/en/Sha1/.

' union select 1,login,password,email,secret,6,7 FROM users#

2. DVWA Medium — unhex() Bypass

DVWA's medium security level applies the mysql_real_escape_string() PHP function. This attempts to neutralize quotes (') by escaping them (\'), preventing us from breaking out of string contexts.

The Bypass: Instead of typing a literal single quote, we use MySQL's built-in unhex() function and pass it the hex value of the character we need (e.g., 27 is the hex code for a single quote). The PHP filter allows it through, but the SQL engine interprets it back into a quote!

unhex(27) or 1=1 order by 2#
unhex(27) union select 1, table_name FROM information_schema.tables WHERE table_schema=database()#
unhex(27) union select user,password FROM dvwa.users#

🔴 Put it into practice!

I have created a secure simulated environment (CTF) where you can try an authentication bypass using the concepts from this manual. If you succeed, you'll get a flag redeemable in the terminal.

>_ START CTF 01 CHALLENGE

Defensive Measures

SQL injection occurs when untrusted user input is directly concatenated into database queries. To completely eradicate this class of vulnerability:

Prepared Statements (Parameterized Queries): The absolute best defense. The database engine compiles the SQL query structure first, and then user input is supplied strictly as data parameters, never as executable code.
Input Validation: Strictly enforce allowlists (e.g., verify that an ID is purely numeric).
Web Application Firewalls (WAF): Deploy WAFs to detect and block common SQLi signatures in transit.

Secure PHP implementation using PDO:

<?php
$stmt = $pdo->prepare("SELECT * FROM users WHERE id = ?");
$stmt->execute([$_GET['id']]); // Input is securely bound
$user = $stmt->fetch();
?>