Project 19 for CNIT 123: SQLol (20 pts.)

Requirements

You need a Kali Linux 2 machine.

Configuring and Starting MySQL

In a Terminal window, enter these commands:
apt-get update
apt-get install mysql-server
dpkg-reconfigure mysql-server-5.6
A box asks you for the "New password".

Type in a password of

password
and press Enter

In the next box, type in a password of

password
and press Enter

This is obviously an insecure password, but use it anyway for this project, to match the password SQLol expects.

In a Terminal window, enter these commands:

service mysql start

netstat -pant

MySQL starts, and you should see it listening on port 3306, as shown below:

Restarting Apache

In a Terminal window, enter this command:
service apache2 restart

Downloading and Installing SQLol

The original SQlol software was developed by spiderlabs. I modified it slightly and put a copy on my Web server--that's the version that makes this project easiest.

In your Linux machine, in a Terminal window, enter these commands:

cd /var/www/html

curl https://samsclass.info/124/proj11/sqlol-sbowne.tgz >sqlol-sbowne.tgz

tar xzf sqlol-sbowne.tgz

In your Linux machine, from the menu bar, click Applications, Internet, "IceWeasel Web Browser". (Note: Some Linux versions have Firefox instead).

In IceWeasel, go to

localhost/sqlol

SQLol opens, as shown below:

Click RESET

A message appears saying "Done!"

If you see the "Could not connect..." message shown below, restart mySQL with this command:

service mysql restart

In IceWeasel, click the Back button.

Challenge 0 - Hello, world!

In IceWeasel, from the localhost/sqlol page, click the Challenges link.

A list of challenges appears, as shown below:

Click the "Challenge 0" link.

Injecting Student

Enter Student in the "Injection String" field, as shown below, and click the Inject! button.

Scroll to the bottom of the next page to see the result of your injection, as shown below:

The SQL statement is shown--you have searched for records with username = 'Student'. Since there is no such user, there are no results.

Injecting an Asterisk (*)

In IceWeasel, click the Back button to return to the Challenge 0 page.

Enter a single asterisk in the "Injection String" field, and click the Inject! button.

Scroll to the bottom of the next page to see the result of your injection, as shown below:

This searched for username = '*', which doesn't exist, so it again returns no results.

Injecting an Apostrophe (')

In IceWeasel, click the Back button to return to the Challenge 0 page.

Enter a single apostrophe in the "Injection String" field, and click the Inject! button.

Scroll to the bottom of the next page to see the result of your injection, as shown below:

Note the message saying "Error: You have an error in your SQL syntax" -- that indicates a SQL injection vulnerability.

With a more carefully crafted injection, you can get the whole list of usernames to diplay.

Try to figure it out yourself. If you need help, see the tutorial here:

Tutorial 0

When you succeed, you will see a list of five records as shown below:

Saving the Screen Image

Make sure you can see the five records, as shown in the image above on this page, but without the gray box obscuring the data.

Save a screen image with the filename Proj 19a from Your Name.

Challenge 1 - SQL Injection 101

In IceWeasel, from the localhost/sqlol page, click the Challenges link.

Click the "Challenge 1" link.

This time your goal is to find SSNs.

Try to figure it out yourself. If you need help, see the tutorial here:

Tutorial 1

When you succeed, you will see a list of five records as shown below:

Saving the Screen Image

Make sure you can see the five records, as shown in the image above on this page, but without the gray box obscuring the data.

Save a screen image with the filename Proj 19b from Your Name.

Challenge 2 - The Failure of Quote Filters

In IceWeasel, from the localhost/sqlol page, click the Challenges link.

Click the "Challenge 2" link.

Once again, your goal is to find SSNs. The new feature is that you are injecting into a numeric field, not a text field, so you won't need apostrophes.

Try to figure it out yourself. If you need help, see the tutorial here:

Tutorial 2


When you succeed, you will see a list of seven records as shown below:

Saving the Screen Image

Make sure you can see the seven records, as shown in the image above on this page, but without the gray box obscuring the data.

Save a screen image with the filename Proj 19c from Your Name.

Turning in Your Project

Email the images to cnit.123@gmail.com with a Subject line of Proj 19 from Your Name.


Sources

https://github.com/SpiderLabs/SQLol

http://www.unixmen.com/how-to-enable-and-disable-apache-modules/

Last modified: 11-1-16