SQLol (NETLAB)

Use your Kali32 Machine

Open the Kali32 virtual machine. Log in as root with the password toor

Configuring and Starting MySQL

In a Terminal window, enter this command:

dpkg-reconfigure mysql-server-5.5

A box asks you for the "New password".

Type in a password of

password

and press Enter

In the next box, type in a password of

password

and press Enter

This is obviously an insecure password, but use it anyway for this project, to match the password SQLol expects.

In a Terminal window, enter these commands:

service mysql start
netstat -pant

MySQL starts, and you should see it listening on port 3306, as shown below:

Restarting Apache

In a Terminal window, enter this command:

service apache2 restart

Downloading and Installing SQLol

The original SQlol software was developed by spiderlabs. I modified it slightly and put a copy on my Web server--that's the version that makes this project easiest.

In your Linux machine, in a Terminal window, enter these commands:

cd /var/www/html wget http://samsclass.info/124/proj14/sqlol-sbowne.tgz
tar xzf sqlol-sbowne.tgz

In your Linux machine, from the menu bar, click Applications, Internet, "IceWeasel Web Browser". (Note: Some Linux versions have Firefox instead).

In IceWeasel, go to

localhost/sqlol

SQLol opens, as shown below:

Click RESET

A message appears saying "Done!"

If you see the "Could not connect..." message shown below, restart mySQL with this command:

service mysql restart

In IceWeasel, click the Back button.

Challenge 0 - Hello, world!

In IceWeasel, from the localhost/sqlol page, click the Challenges link.

A list of challenges appears, as shown below:

Click the "Challenge 0" link.

Injecting Student

Enter Student in the "Injection String" field, as shown below, and click the Inject! button.

Scroll to the bottom of the next page to see the result of your injection, as shown below:

The SQL statement is shown--you have searched for records with username = 'Student'. Since there is no such user, there are no results.

Injecting an Asterisk (*)

In IceWeasel, click the Back button to return to the Challenge 0 page.

Enter a single asterisk in the "Injection String" field, and click the Inject! button.

Scroll to the bottom of the next page to see the result of your injection, as shown below:

This searched for username = '*', which doesn't exist, so it again returns no results.

Injecting an Apostrophe (')

In IceWeasel, click the Back button to return to the Challenge 0 page.

Enter a single apostrophe in the "Injection String" field, and click the Inject! button.

Scroll to the bottom of the next page to see the result of your injection, as shown below:

Note the message saying "Error: You have an error in your SQL syntax" -- that indicates a SQL injection vulnerability.

With a more carefully crafted injection, you can get the whole list of usernames to diplay.

Try to figure it out yourself. If you need help, see the tutorial here:

Tutorial 0

When you succeed, you will see a list of five records as shown below:

Challenge 1 - SQL Injection 101

In IceWeasel, from the localhost/sqlol page, click the Challenges link.

Click the "Challenge 1" link.

This time your goal is to find SSNs.

Try to figure it out yourself. If you need help, see the tutorial here:

Tutorial 1

When you succeed, you will see a list of five records as shown below:

Challenge 2 - The Failure of Quote Filters

In IceWeasel, from the localhost/sqlol page, click the Challenges link.

Click the "Challenge 2" link.

Once again, your goal is to find SSNs. The new feature is that you are injecting into a numeric field, not a text field, so you won't need apostrophes.

Try to figure it out yourself. If you need help, see the tutorial here:

Tutorial 2

When you succeed, you will see a list of seven records as shown below:

Sources

https://github.com/SpiderLabs/SQLol

http://www.unixmen.com/how-to-enable-and-disable-apache-modules/

Last modified: 9-28-15
Revised for NETLAB 6-15-16
curl changed to wget 6-27-16