Configuring and Starting MySQL
You may already have done this, but if your NETLAB session ended, you'll need to do it again.In a Terminal window, enter this command:
A box asks you for the "New password".dpkg-reconfigure mysql-server-5.5
Type in a password of
and press Enterpassword
In the next box, type in a password of
and press Enterpassword
This is obviously an insecure password, but use it anyway for this project, to match the password SQLol expects.
In a Terminal window, enter these commands:
MySQL starts, and you should see it listening on port 3306, as shown below:service mysql start
netstat -pant
Restarting Apache
In a Terminal window, enter this command:service apache2 restart
Downloading and Installing SQLol
The original SQlol software was developed by spiderlabs. I modified it slightly and put a copy on my Web server--that's the version that makes this project easiest.In your Linux machine, in a Terminal window, enter these commands:
In your Linux machine, from the menu bar, click Applications, Internet, "IceWeasel Web Browser". (Note: Some Linux versions have Firefox instead).cd /var/www/html
curl https://samsclass.info/124/proj14/sqlol-sbowne.tgz >sqlol-sbowne.tgz
tar xzf sqlol-sbowne.tgz
In IceWeasel, go to
SQLol opens, as shown below:
Click RESET
A message appears saying "Done!"
If you see the "Could not connect..." message shown below, restart mySQL with this command:
service mysql restart
In IceWeasel, go to
SQLol opens, as shown below. If it does not open, restart Apache with service apache2 restart
Click RESET
A message appears saying "Done!"
If you see a "Could not connect..." message, restart mySQL with service mysql start
In your Linux machine, in IceWeasel, go to
A "Find Users" page opens, as shown below:
In the Name field, type
C%
Click the Submit button.
You should see the username "Chunk MacRunfast", as shown below:
In IceWeasel, click the Back button to return to the "Find Users" page.
In the Name field, type
%
Click the Submit button.
You should see all five usernames, as shown below:
The whole point of SQL injection is that a simple form like this can be tricked into revealing more data than the designer intended to reveal.
In IceWeasel, click the Back button to return to the "Find Users" page.
In the Name field, type
O'Neil
Click the Submit button.
You should see an error message, as shown below:
This is the kiss of death--an error like this means that you have lost control of the database, and an attacker can often extract all the data.
We'll steal the data with Havij, which is absurdly easy to use.
In a Terminal window, execute this command:
wine ~/.wine/drive_c/Program\ Files/Havij/Havij.exe
In the Havij window, type this URL into the Target field:
http://localhost/sqlol/search.php?q=x
In the Havij window, click the Analyze button.
The Log at the bottom of the Havij window should show happy blue and green text, indicating that it found a vulnerability, ending with "Current DB: sqlol", as shown below:
In the upper center of the Havij window, click the Tables button.
In the lower bar that appears, click the "Get Tables" button.
The tables "ssn" and "users" appear, as shown below:
In the left-center pane of the Havij window, check the ssn and users boxes.
In the center of the Havij window, click the "Get Columns" button.
The column names appear, as shown below:
In the left-center pane of the Havij window, in the "ssn" table section, check the name and ssn boxes.
In the center of the Havij window, click the "Get Data" button.
The names and SSNs appear, as shown below:
cd /var/www/html/sqlol
cp search.php old-search.php
nano search.php
Scroll down a few screens to
find the existing code marked with a comment
saying "PATCH VULNERABLE CODE HERE",
as shown below:
Add this line under the comment:
$q = mysql_real_escape_string($q);
Your code should now look like the image
shown below:
Save the page with Ctrl+X, Y, Enter.
This line adds backslash characters before quotation marks, which will prevent simple SQL syntax errors. This is not the strongest defense possible against SQL injection, but it's a lot better than nothing.
A "Find Users" page opens, as shown below:
In the Name field, type
O'Neil
Click the Submit button.
Now, instead of an error, you see a chart showing that no results were found, as shown below:
You can see how the fix works: the URL shows the original search string of O'Neil but the top of the results Web page shows the escaped version O\'Neil
http://localhost/sqlol/search.php?q=x
In the Havij window, click the Analyze button.
The Log at the bottom of the Havij window shows red error messages, as shown below, because the site is no longer vulnerable.