On Thursday evening we experimented with using SQL injection to attack the deliberately vulnerable Damn Vulnerable Web App running on a Raspberry Pi.
The web app can be found here: http://www.dvwa.co.uk/
The instructions we followed can be found here: https://computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson6/index.html
Unfortunately, the final stage of brute forcing the recovered password hashes failed because of problems with the John the Ripper application installed on the Pi. Subsequently running it on the server resulted in the following successful output after less than two seconds.
(gordon:~) rs% /usr/sbin/john –format=raw-MD5 tmp/hashes.txt
Loaded 5 password hashes with no different salts (Raw MD5 [128/128 SSE2 intrinsics 12x])
password (admin)
password (smithy)
abc123 (gordonb)
letmein (pablo)
charley (1337)
guesses: 5 time: 0:00:00:01 DONE (Thu Mar 16 21:01:37 2017) c/s: 136773 trying: charty1 – charlee
Use the “–show” option to display all of the cracked passwords reliably