Performing SQL injection Attack lab (Ethical penetration testing)

Question Description

In the following course topic, student can explore and demonstrate his capabilities in various penetration testing and gain essential hacking skills with countermeasures.

The required topic is : SQL Injection Attack Lab

The detailed description for the project can be found in SEED Labs website (Ubuntu 16.04 Labs):


- Submit a detailed report for the project activities with an evidence of screen shots of running instances.

- Demonstrate your work on a live-demo in the class

- Project contribute 10 marks in your course work.

Final Answer

Hello , how are you ?Here is the solution:

REPORT -SQL Injection Attack Lab
This lab covers the following topics:
• SQL statement: SELECT and UPDATE statements
• SQL injection
• Prepared statement

-Using the command : ''cat /etc/hosts'' , we can view all the mapped domain names to their
relevant ip addresses.
-We can see that the domain name '''' is mapped to , which is our UBUNTU-SEED local IP address

-That means that the URL '''' is only accessible from
inside of the virtual machine.
So , we can visit that specific url from our UBUNTU-SEED machine's browser (we
already have checked that apache service is running).

-We can edit the /etc/hosts file and append the entry '' inside it.
At first , we execute the command : 'sudo nano /etc/hosts' in order to open the hosts file
via the nano editor.
Sudo command is required , since hosts file is only writable by 'root' u ser (password
provided for the seed user is 'dees')

-Then , we simply insert the line '' at the end of the file and
save the changes

-So , now we can visit the '' Url from our machine's browser .
We can see that it loads the Apache2 Ubuntu Default Page , which in our case is stored
inside '/var/www/html/index.html'

-Next step is to modify the '000-default.conf' file , in order to add th e virtual hosts: '''' and ''''.
At first , we check the file permissions using the command :
''ls -ahl /etc/apache2/sites-available/000-default.conf''

-We can see that the specified file is writable only by root user .
So we need to use the command ''sudo nano /etc/apache2/sites-available/000default.conf'' to be able to modify it .
Next we append the file with the lines :

DocumentRoot /var/www/Example_1/

DocumentRoot /var/www/Example_2/

-In order for the virtual hosts be able to operate properly , we need to edit the /etc/hosts
file (map their urls to our local machine ip) and then add some content ( e.g index.html
files) under their corresponding directories ( /var/www/Example_1 and
First, we modify the hosts file, using the commands:
'sudo nano /etc/hosts'
Then add the following lines at the end of the file:

-Then we can add some content under their corresponding directories.
First we visit /var/www with the command : 'cd /var/www'
Then we create their directories:
'sudo mkdir Example_1 && sudo mkdir Example_2'
We can see that the two directories were created:

To demonstrate that virtual hosts can be loaded , we can add some index.html file inside
/Example_1 and write some simple html code.
-So we visit the newly created 'Example_1' folder and create the index.html file :
'cd Example_1 && sudo touch index.html'

-Then we use the command 'sudo nano index.html' to edit the index.html file and we add
inside some simple html code:

Example 1 Virtual Host


-Finally , so to apply all the changes made we need to restart the apache2 server:

''sudo service apache2 restart''


To verify that everything works as expected we just visit '''' using our
browser and we can see that the html code gets executed:

Same procedure can be followed to add some content for example2 virtual host

3.1 Task 1: Get Familiar with SQL Statements

-We login to MySQL console using the command:
''mysql -u root -pseedubuntu''

-Then we load the 'Users' database using the command:

''use Users;''
-We can see all the tables inside the selected database using the command:
''show tables;''
-In order to be able to print all the profile information of the employee named 'Alice' , we can
use the following command:
” Select * from credential where Name='Alice' “

Here is the screenshot of our results:

After executing the query we manage to retrieve 'Alice' personal information ( e.g name , birth
, social security number) including her password in hashed form.

3.2 Task 2: SQL Injection Attack on SELECT Statement
For Task2 we are provided the code showing how user's gets authenticated:
$input_uname = $_GET[’username’];
$input_pwd = $_GET[’Password’];
$hashed_pwd = sha1($input_pwd);

... $sql = "SELECT id, name, eid, salary, birth, ssn, address, email, nickname,
Password FROM credential WHERE name= ’$input_uname’ and
$result = $conn -> query($sql);
// The following is Pseudo
Code if(id != NULL) {
if(name==’admin’) { return All employees information; } else if (name !=NULL)
{ return employee information; } } else { Authentication Fails; }

• Task 2.1: SQL Injection Attack from webpage.
Our task is to log into the web application as the administrator from the login page, so we
can see the information of all the employees.
1.We are given the administrator’s account name which is ''admin'' (we don't know
the password).
2.We also know the sql query executed server-side which is:
"SELECT id, name, eid, salary, birth, ssn, address, email, nickname, Password
FROM credential WHERE name= ’$input_uname’ and Password=’$hashed_pwd’";
3.We know that if we authenticate with username → 'admin' then all employees
information gets returned

So to successfully execute our attack we need to enter the following payload at our browser:'-- -

Here is the result:

-By entering the value “admin' -- -“ inside the ''Username'' parameter then the
following query gets executed:
'SELECT id, name, eid, salary, birth, ssn, address, email, nickname, Password
FROM credential WHERE name= admin ' -- - [everything on the right gets
commented out, so ''and Password=’$hashed_pwd’"; gets ignored ]
-By using the ' -- - ' syntax we are instructing database server to consider everything on its
right as a comment , so 'and Password= $hashed_pwd' will n ot be executed
As a result the initial query outputs the values stored inside the columns:
id , username, employee id , salary ,birthday, social security number. Nickname, email
,address and phone number of the credential table.
,where the name equals to the value of 'admin'.
We already know that if we authenticate with the name --> 'admin' then all the information of
all users gets returned.
-Since everything after the '-- -' gets ignored , Password's parameter value does not matter .
For example:'-- &password=enter_whatever_value
,will also return all the users information .

Task 2.2: SQL Injection Attack from command line.
Our task is to repeat Task 2.1, by using command line tools, such as curl ( which sends
HTTP requests).
curl same logic behind the attack is the s...

mike21 (184)
UT Austin

Top quality work from this tutor! I’ll be back!

Heard about Studypool for a while and finally tried it. Glad I did caus this was really helpful.

Thank you! Reasonably priced given the quality


Brown University

1271 Tutors

California Institute of Technology

2131 Tutors

Carnegie Mellon University

982 Tutors

Columbia University

1256 Tutors

Dartmouth University

2113 Tutors

Emory University

2279 Tutors

Harvard University

599 Tutors

Massachusetts Institute of Technology

2319 Tutors

New York University

1645 Tutors

Notre Dam University

1911 Tutors

Oklahoma University

2122 Tutors

Pennsylvania State University

932 Tutors

Princeton University

1211 Tutors

Stanford University

983 Tutors

University of California

1282 Tutors

Oxford University

123 Tutors

Yale University

2325 Tutors