sqli [preparation] · 2017. 4. 28. · sqli [preparation] • download the posted zip file and...

Ndaw, Maam Awa Page 1 of 14 SQLi [Preparation] • Download the posted zip file and place it under the Documents directory. Unzip it so that the files are placed under Documents\SQLiLab. • Start MS Visual Studio and go to “File > Open > Web Site”. Select the following directory: “Documents\SQLiLab”. Launch “Default.aspx” page by clicking on Google Chrome. [Task] SQL Injection Click the link to test out the BAD login page. And answer the following two questions.

Upload: others

Post on 05-Feb-2021

5 views

Category:

Documents

0 download

Report

Download

Embed Size (px):

TRANSCRIPT

Ndaw, Maam Awa

Page 1 of 14

SQLi

[Preparation]

• Download the posted zip file and place it under the Documents directory. Unzip it so that the files are

placed under Documents\SQLiLab.

• Start MS Visual Studio and go to “File > Open > Web Site”. Select the following directory:

“Documents\SQLiLab”. Launch “Default.aspx” page by clicking on Google Chrome.

[Task] SQL Injection

Click the link to test out the BAD login page. And answer the following two questions.
Ndaw, Maam Awa

Page 2 of 14

1. Enter "admin" for User Name and any arbitrary password for Password. Report the result in a

screenshot.

2. Use an injection and show that you can log in without using any credentials. Report the result in a

screenshot.
Ndaw, Maam Awa

Page 3 of 14

Click the link to test out the BAD product page.

3. Click the link at the bottom of the page. Explain why you get that result.

Because the link has an embedded SQL injection, ' UNION SELECT 0, password, userID FROM Users –

therefore it displays a joint users table with associated passwords.

Stay on the BAD product test page for the remaining questions.

4. Create an injection to figure out Table Name, Column Name in the database you currently are

connected to. Use Union and Information schema view. Report the result in a screenshot.
Ndaw, Maam Awa

Page 4 of 14

5. Create an injection to list all the logins and their passwords in the current MSSQL instance. Use Union

and Catalog view. Report the result in a screenshot.
Ndaw, Maam Awa

Page 5 of 14
Ndaw, Maam Awa

Page 6 of 14
Ndaw, Maam Awa

Page 7 of 14
Ndaw, Maam Awa

Page 8 of 14
Ndaw, Maam Awa

Page 9 of 14
Ndaw, Maam Awa

Page 10 of 14
Ndaw, Maam Awa

Page 11 of 14
Ndaw, Maam Awa

Page 12 of 14

6. Create an injection to list all the database names in the current MSSQL instance. Use Union and

Catalog view. Report the result in a screenshot.
Ndaw, Maam Awa

Page 13 of 14

7. Create an injection to list all the system tables in the current MSSQL instance. Use Union and Catalog

view. Report the result in a screenshot.
Ndaw, Maam Awa

Page 14 of 14

SQLi[Preparation][Task] SQL Injection