Blind SQL Injection 0x1 - DVWA (Easy)

We do not use sqlmap in this video. Today we discuss blind SQL injection exploit development against DVWA by using a combo of MySQL's ASCII() and SUBSTRING() functions instead of SLEEP(), and how to make a blind SQL vulnerability useful. This is part of a series, and it will get progressively more crazy! This video was filmed over the course of about 4-5 hours, so any feedback/criticism is probably warranted and necessary :D Timeline: 0:00 - Intro 0:35 - Docker and DVWA Setup 2:30 - Vuln Discussion 6:09 - Looking At Burp 8:00 - Exploitation Strategy 9:23 - Starting The Exploit 10:44 - ASCII and SUBSTRING functions 12:40 - Continuing The Exploit 14:20 - Example Injection 16:30 - Loop-ception 21:40 - Replicating The Request 24:00 - Writing In Boolean Logic 24:40 - Trouble-shooting Errors 25:30 - First Proof of Concept 26:00 - Finishing The Exploit 27:05 - Final Exploit 27:20 - Outro My Links: Twitter - https://twitter.com/cwinfosec Github - https://github.com/cwinfosec Blog - https://cwinfosec.github.io References: https://www.kali.org/docs/containers/installing-docker-on-kali/ https://hub.docker.com/r/vulnerables/web-dvwa https://www.w3resource.com/mysql/string-functions/mysql-ascii-function.php https://www.w3schools.com/sql/func_mysql_substring.asp