Project 19 for CNIT 123: SQLol (20 pts.)

Requirements

Configuring and Starting MySQL

dpkg-reconfigure mysql-server-5.5

Type in a password of

password

In the next box, type in a password of

password

This is obviously an insecure password, but use it anyway for this project, to match the password SQLol expects.

In a Terminal window, enter these commands:

service mysql start

netstat -an | grep LISTEN | more

Restarting Apache

service apache2 restart

Downloading and Installing SQLol

In your Linux machine, in a Terminal window, enter these commands:

cd /var/www

curl https://samsclass.info/124/proj11/sqlol-sbowne.tgz >sqlol-sbowne.tgz

tar xzf sqlol-sbowne.tgz

In IceWeasel, go to

localhost/sqlol

SQLol opens, as shown below:

Click RESET

A message appears saying "Done!"

If you see the "Could not connect..." message shown below, restart mySQL with this command:

service mysql restart

In IceWeasel, click the Back button.

Challenge 0 - Hello, world!

A list of challenges appears, as shown below:

Click the "Challenge 0" link.

Injecting Student

Scroll to the bottom of the next page to see the result of your injection, as shown below:

The SQL statement is shown--you have searched for records with username = 'Student'. Since there is no such user, there are no results.

Injecting an Asterisk (*)

Enter a single asterisk in the "Injection String" field, and click the Inject! button.

Scroll to the bottom of the next page to see the result of your injection, as shown below:

This searched for username = '*', which doesn't exist, so it again returns no results.

Injecting an Apostrophe (')

Enter a single apostrophe in the "Injection String" field, and click the Inject! button.

Scroll to the bottom of the next page to see the result of your injection, as shown below:

Note the message saying "Error: You have an error in your SQL syntax" -- that indicates a SQL injection vulnerability.

With a more carefully crafted injection, you can get the whole list of usernames to diplay.

Try to figure it out yourself. If you need help, see the tutorial here:

Tutorial 0

When you succeed, you will see a list of five records as shown below:

Saving the Screen Image

Make sure you can see the five records, as shown in the image above on this page, but without the gray box obscuring the data.

Save a screen image with the filename Proj 19a from Your Name.

Challenge 1 - SQL Injection 101

Click the "Challenge 1" link.

This time your goal is to find SSNs.

Try to figure it out yourself. If you need help, see the tutorial here:

Tutorial 1

When you succeed, you will see a list of five records as shown below:

Saving the Screen Image

Make sure you can see the five records, as shown in the image above on this page, but without the gray box obscuring the data.

Save a screen image with the filename Proj 19b from Your Name.

Challenge 2 - The Failure of Quote Filters

Click the "Challenge 2" link.

Once again, your goal is to find SSNs. The new feature is that you are injecting into a numeric field, not a text field, so you won't need apostrophes.

Try to figure it out yourself. If you need help, see the tutorial here:

Tutorial 2

Saving the Screen Image

Make sure you can see the seven records, as shown in the image above on this page, but without the gray box obscuring the data.

Save a screen image with the filename Proj 19c from Your Name.

Turning in Your Project

Email the images to cnit.123@gmail.com with a Subject line of Proj 19 from Your Name.

Sources

http://www.unixmen.com/how-to-enable-and-disable-apache-modules/

Last modified: 4-18-15