Scribd
Upload
17 views12 pages

Itp4416 Lab03 SQL Injection Part I v2024 v1

The document outlines a lab exercise for a course in Web Application Security, focusing on SQL injection techniques. It includes tasks for exploiting SQL vulnerabilities to retrieve hidden data, bypass login authentication, and perform UNION attacks to determine the number of columns in a query. Students are required to use tools like Burp Suite and Web Security Academy to complete the exercises and document their findings.

Uploaded by

alfred4302
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
17 views12 pages

Itp4416 Lab03 SQL Injection Part I v2024 v1

The document outlines a lab exercise for a course in Web Application Security, focusing on SQL injection techniques. It includes tasks for exploiting SQL vulnerabilities to retrieve hidden data, bypass login authentication, and perform UNION attacks to determine the number of columns in a query. Students are required to use tools like Burp Suite and Web Security Academy to complete the exercises and document their findings.

Uploaded by

alfred4302
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 12

HD in Cybersecurity (IT114122/IT314122/IT514122)

ITP4416 – Web Application Security AY2023/24 (Sem2)

Lab 03 – SQL Injection (Part I)


Name: ____________________ Class: ___________________
Learning Objectives:
Upon completion of this lab, you will be able to:
 apply SQL injection to vulnerable web application to retrieve hidden data
 use SQL injection to bypass login (vulnerable authentication page)
 apply SQL union attack to enumerate table information

Note:
- In order to access the virtual lab, you are required to register an account in Web
Security Academy (https://portswigger.net/web-security).

- Please use RED colored text for ALL your answer and set your
screen captures with RED colored boarder.

Page 1
HD in Cybersecurity (IT114122/IT314122/IT514122)
ITP4416 – Web Application Security AY2023/24 (Sem2)

Task 01 – SQL injection vulnerability in WHERE clause allowing retrieval of


hidden data.

1 Login to your Web Security Academy account. Select Academy and All labs.

2 Select the first LAB under SQL injection. Its title is “SQL injection vulnerability in WHERE clause
allowing retrieval of hidden data”. Read the instruction carefully. Then, click Access the lab to
access the victim website.

Page 2
HD in Cybersecurity (IT114122/IT314122/IT514122)
ITP4416 – Web Application Security AY2023/24 (Sem2)

3 Change the setting of your Firefox network setting to use Burp Suite as proxy server and then start
Burp Suite. Click the link, Gifts in the victim page. In Burp Suite, select Proxy tab and then HTTP
History tab, you should see the captured HTTP Get Request from your Firefox browser.

Select the HTTP Get Request and right click. Then, select Sent to repeater.

4 Consider the following SQL statement which will be executed according to your GET request
parameter (in our case, it is Gifts)
SELECT * from products WHERE category=’ ‘ AND released=1

5 Take a screen capture for the input of category as Gifts. What is the number of item displayed?

Page 3
HD in Cybersecurity (IT114122/IT314122/IT514122)
ITP4416 – Web Application Security AY2023/24 (Sem2)

Ans:
Number of item displayed:

Then, Change the input Gifts as shown below. Test them in your Burp Suite repeater.
Gifts => Gifts‘
What is returned from the Web server? Take a screen capture.

Write down the corresponding SQL statement.


Ans:

Gifts => Gifts‘ OR 1=1--


Note: There is a space after --.

What is returned from the Web server? Take a screen capture.

What is the number of item displayed?


Ans:

Write down the corresponding SQL statement.


Ans:

Page 4
HD in Cybersecurity (IT114122/IT314122/IT514122)
ITP4416 – Web Application Security AY2023/24 (Sem2)

What happened? Write down your findings.


Ans:

6 What is the meaning of --? (You may refer to the cheat sheet of Web Security Academy
https://portswigger.net/web-security/sql-injection/cheat-sheet)
Ans:

7 Close Burp Suite and turn off the proxy setting in Firefox. Change the input directly in your
browser URL. What is the result? Take a screen capture.
Ans:

Page 5
HD in Cybersecurity (IT114122/IT314122/IT514122)
ITP4416 – Web Application Security AY2023/24 (Sem2)

Task 02 – SQL injection vulnerability allowing login bypass

1 Login to your Web Security Academy account. Select Academy and All labs.
2 Select the first LAB under SQL injection. Its title is “SQL injection vulnerability allowing
login bypass”. Read the instruction carefully. Then, click Access the lab to access the victim
website.

3 Click the link, My Account to browse the login page of the web application.

Login with username, administrator and try to guess the password (e.g. password).
Write down the possible SQL statement for checking the username and password?
Ans:

4 User the following as the username (and any password you like).
administrator’
single quotation mark

Page 6
HD in Cybersecurity (IT114122/IT314122/IT514122)
ITP4416 – Web Application Security AY2023/24 (Sem2)

What is the result of your login? Take a screen capture.


Ans:

Write down the SQL executed when you login with the above username. Is it a well-formed
SQL statement? If not, suggest how to fix it such that it can ignore the password checking and
return the required record to web application (Hints: Use comment symbol, -- ).
Ans:

5 Apply the hints in step 4 to login. If succeeded, take a screen capture.

6 Redo the above login bypass by using Burp Suite. When you successfully complete the login
bypass, take a screen capture for your repeater tab to show what you sent to the server.

Page 7
HD in Cybersecurity (IT114122/IT314122/IT514122)
ITP4416 – Web Application Security AY2023/24 (Sem2)

7 Are the above injection techniques applicable to the password field? If yes, test it. If no,
explain why it cannot be used.
Ans:
Yes/No

Explanation:

Page 8
HD in Cybersecurity (IT114122/IT314122/IT514122)
ITP4416 – Web Application Security AY2023/24 (Sem2)

Task 03 – SQL injection UNION attack, determining the number of columns


returned by the query

1 Login to your Web Security Academy account. Select Academy and All labs.
2 Select the first LAB under SQL injection. Its title is “SQL injection UNION attack, determining
the number of columns”. Read the instruction carefully. Then, click Access the lab to access
the victim website.

3 Change the setting of your Firefox network setting to use Burp Suite as proxy server and then
start Burp Suite. Click the link, Pets in the victim page. In Burp Suite, select Proxy tab and
then HTTP History tab, you should see the captured HTTP Get Request from your Firefox
browser.

Write down the possible SQL statement executed for the above web page?

4 You are required to find out the number of columns of result from generated from the SQL
statement in step 3. Start with single quotation mark to see whether the application is SQL
injectable.
Note:
Listen to the explanation (and demonstration) about how to use UNION to combine two SQL
statements.

Page 9
HD in Cybersecurity (IT114122/IT314122/IT514122)
ITP4416 – Web Application Security AY2023/24 (Sem2)

List the payload you tried till you can get a return page with no error (You should convert your
payload by using URL encoding (i.e. select the payload and then, press ctrl U).

‘--
‘ UNION SELECT NULL--
What is the number of columns in the original query?
Ans:

5 Besides UNION attack, ORDER BY can also be used to determine the number of columns. Test
it and list the payload you will use.
Ans:

Page 10
HD in Cybersecurity (IT114122/IT314122/IT514122)
ITP4416 – Web Application Security AY2023/24 (Sem2)

Task 04 – Challenge exercises


1 Start your victim server (Ubuntu). Check IP address of your victim server

Victim Server IP Address:

2 Start SQL injection labs docker image in your victim server by using the following command.
docker run -dt –-name sqlilabs -p 80:80 acgpiano/sqli-labs

3 Access the victim page in Kali (using the URL, http://<victim server ip>). Click the link,
Setup/reset Database for labs.

4 Start the first challenge, Less-1.

Input the following URL to extract the first record within the database.
http://<your victim ip>/Less-1/?id=1

Page 11
HD in Cybersecurity (IT114122/IT314122/IT514122)
ITP4416 – Web Application Security AY2023/24 (Sem2)

5 Your tasks are


- Determine whether the web application has any SQL injection vulnerability.
Ans:
Yes/No
- If yes, then determine the number of columns of the query in the web page.
Ans:
Number of Columns:

END

Page 12

You might also like