SQL Injection

University Project #Cybersecurity

SQL Injection #

A basic SQL injection attack on an example website.

Setup#

Add address to etc/hosts#

Build docker containers#

Start docker containers#

Task 2.1: Webpage Select Injection#

On the login page…

We can easily login as the admin using the following credentials:

1
  Username: "Admin';-- "
2
  Password: ""

We can see we now have access to the admin account’s home page.

Task 2.2: Commandline Select Injection#

Now we want to send a curl to the webpage and pass parameters in the URL to perform a SQL Injection.

With the following command:

1
  curl 'www.seed-server.com/unsafe_home.php?username=Admin%27;--%20&Password='

Which results in:

Which is hard to read, but theres clearly a logout function and some kind of table, meaning we successfully logged in.

Task 2.3: Webpage Append Injection#

To run multiple SQL commands, we just need to add a second statement after the semicolon in our 2.1 input.

We can do this using the following credentials:

1
  Username: "Admin'; Update credentials set Nickname='Badmin' where eid=99999;# "
2
  Password: ""

However, this will always return a syntax error.

This is becasue the PHP function, $query used in the login page cannot perform multiple queries with one input by design.

Here’s a snippet from the PHP manual on this topic.

Task 3.1: Increase Alice’s Salary#

Now we want to increase the salary of the ‘Alice’ account.

We can change our the salary with the following inputs:

As we can see, the changes went through successfully.

Task 3.2: Set Boby’s Salary to 1#

To do this we need to modify the salary value, and also change the where clasue.

We can do this with the following inputs.

1
PhoneNumber: "', salary='1' where name='boby';-- "

As we can see using the docker shell, the changes went through.

Task 3.3: Change Boby’s Password#

Now we want to change Boby’s password without logging into their account.

We need to change the value in the phone number field to modify the where clause.

Additionally we need to input the new password into the password field.

By modifying the where clause, the password we input will be hashed and applied to Boby’s account instead of Alice’s

1
PhoneNumber: "' where name='boby';-- "
2
Password: "AliceIs#1"

Then, we can confirm this by logging into Boby’s account.

← Back to Projects

Add address to etc/hosts

Build docker containers

Start docker containers

3

Task 2.1: Webpage Select Injection

4

Task 2.2: Commandline Select Injection

5

Task 2.3: Webpage Append Injection

6

Task 3.1: Increase Alice’s Salary

7

Task 3.2: Set Boby’s Salary to 1

8

Task 3.3: Change Boby’s Password

SQL Injection#