sqli [preparation] · 2017. 4. 28. · sqli [preparation] • download the posted zip file and...
TRANSCRIPT
-
Ndaw, Maam Awa
Page 1 of 14
SQLi
[Preparation]
• Download the posted zip file and place it under the Documents directory. Unzip it so that the files are
placed under Documents\SQLiLab.
• Start MS Visual Studio and go to “File > Open > Web Site”. Select the following directory:
“Documents\SQLiLab”. Launch “Default.aspx” page by clicking on Google Chrome.
[Task] SQL Injection
Click the link to test out the BAD login page. And answer the following two questions.
-
Ndaw, Maam Awa
Page 2 of 14
1. Enter "admin" for User Name and any arbitrary password for Password. Report the result in a
screenshot.
2. Use an injection and show that you can log in without using any credentials. Report the result in a
screenshot.
-
Ndaw, Maam Awa
Page 3 of 14
Click the link to test out the BAD product page.
3. Click the link at the bottom of the page. Explain why you get that result.
Because the link has an embedded SQL injection, ' UNION SELECT 0, password, userID FROM Users –
therefore it displays a joint users table with associated passwords.
Stay on the BAD product test page for the remaining questions.
4. Create an injection to figure out Table Name, Column Name in the database you currently are
connected to. Use Union and Information schema view. Report the result in a screenshot.
-
Ndaw, Maam Awa
Page 4 of 14
5. Create an injection to list all the logins and their passwords in the current MSSQL instance. Use Union
and Catalog view. Report the result in a screenshot.
-
Ndaw, Maam Awa
Page 5 of 14
-
Ndaw, Maam Awa
Page 6 of 14
-
Ndaw, Maam Awa
Page 7 of 14
-
Ndaw, Maam Awa
Page 8 of 14
-
Ndaw, Maam Awa
Page 9 of 14
-
Ndaw, Maam Awa
Page 10 of 14
-
Ndaw, Maam Awa
Page 11 of 14
-
Ndaw, Maam Awa
Page 12 of 14
6. Create an injection to list all the database names in the current MSSQL instance. Use Union and
Catalog view. Report the result in a screenshot.
-
Ndaw, Maam Awa
Page 13 of 14
7. Create an injection to list all the system tables in the current MSSQL instance. Use Union and Catalog
view. Report the result in a screenshot.
-
Ndaw, Maam Awa
Page 14 of 14
SQLi[Preparation][Task] SQL Injection