Project 11: SQL Injection (10 pts.)
What You Need
- Any computer with a Web browser
Purpose
SQL injection is the most important
vulnerability in the world. Over 90%
of all the stolen data has been stolen with
this attack.
Opening the SQL Hands-On Page
In a Web browser, open this page:
http://attack.samsclass.info/sqlol-raw/search-raw.htm
1. Reset the Database
In section 1 click the Reset button.
2. SQL Database Structure
Read through section 2 to understand
essential SQL concepts.
3. SQL SELECT Queries
SELECT queries find data
in the database and display it.
Try each of the queries shown and see how
they work.
Try all the queries shown, and find one
that reveals social security numbers,
as shown below.
4. Search for Usernames
The form only accepts usernames, but by
using carefully-crafted usernames containing
apostrophes you can use it to perform
SELECT queries.
Try all the queries shown, and find one
that reveals social security numbers,
as shown below.
Saving the Screen Image
Make sure social security numbers are
visible, and that the title of the table
is "Usernames Found",
as shown above.
Save a whole-desktop image
with a filename of "Proj 11 from YOUR NAME".
Extra Credit
Now that you've seen how it works, continue
on to Project 11x to get more credit by
completing the challanges at the
bottom of that page.
Turning In Your Project
Email the image to cnit.120@gmail.com with a subject of
"Project 11 from YOUR NAME".
Posted: 4-11-16