data编程辅导 、讲解 SQL编程语言
Homework 4: SQL Injection Attack
Due Date: 11:59 pm 4/27/24
Lab Overview
For this lab, you will use what you learned to implement exploits. You
can find the SEED lab description here
(https://seedsecuritylabs.org/Labs_20.04/Web/Web_SQL_Injection/). If
you’ve never used containers before, you may want to see the container
manual (https://github.com/seed-labs/seedlabs/blob/master/manuals/docker/SEEDManual-Container.md).
If you run this attack on your own computer, you need to install a Virtual
Box and import the SEED-Ubuntu20.04.vdi into the Virtual Box. After
that, the password for SEED account is “dees” when you log in the VM.
Tasks: You will be implementing Task 2.1, 2.2 and 2.3.
If you face some error for docker build and up, please delete your vdi
file of homework 3 from Virtual box. And import the vdi of homework 4
again.
For “Lab Environment”
, after building the container (dcbuild and
dcup), you go to the website http://seed-server.com. However, you may
go to the different webpage (not the one shown in the description). The
reason is that we need to map this hostname to the container’s IP
address. Please add the following entry to the /etc/hosts file:
10.9.0.5 http://seed-server.com
The step is as follows:
Go to the seed@VM:
Please type: sudo nano /etc/hosts
Go to the end
Please type: 10.9.0.5 http://seed-server.com
Ctrl X to save
For task 2.1, this lab does not accept the “--” as comment. It will provide
syntax error.
For task 2.2, for the special characters in the Username or Password
fields, you need to encode them properly, or they can change the
meaning of your requests. For example, if you want to include single
quote in those fields, you should use %27 instead; if you want to include
white space, you should use %20. For other special characters like “#”
Please use the following link to check the correct encoding:
https://www.urlencoder.org/
Task 1 is to make you familiar with the SQL statement. You can get
familiar with it since you need to use it for task 2 but you are not
required to put the screenshot of Task 1 in the report. Please write your
lab report according to the description of task 2.1, 2.2 and 2.3. Upload
your answers as a PDF to Canvas. In your report, please contain two
parts: (1) show your screenshot of code and some description of your
code to analyze why your code looks like this; (2) show your screenshot
of successful attack.
*The significant content is borrowed from Prof. Wenliang Du.