关键词 > SQLInjectionAttack
Homework 4: SQL Injection Attack
发布时间:2024-05-11
Hello, dear friend, you can consult us at any time if you have any questions, add WeChat: daixieit
Homework 4: SQL Injection Attack
Due Date: 11:59 pm 4/27/24
Lab Overview
For this lab, you will use what you learned to implement exploits. You can find the SEED lab description here
(https://seedsecuritylabs.org/Labs_20.04/Web/Web_SQL_Injection/). If you’ve never used containers before, you may want to see the container manual (https://github.com/seed-labs/seed-
labs/blob/master/manuals/docker/SEEDManual-Container.md).
If you run this attack on your own computer, you need to install a Virtual Box and import the SEED-Ubuntu20.04.vdi into the Virtual Box. After that, the password for SEED account is “dees” when you login the VM.
Tasks: You will be implementing Task 2.1, 2.2 and 2.3.
If you face some error for docker build and up, please delete yourvdi file of homework 3 from Virtual box. And import the vdi of homework 4 again.
For “Lab Environment”, after building the container (dcbuild and dcup), you goto the websitehttp://seed-server.com. However, you may goto the different webpage (not the one shown in the description). The reason is that we need to map this hostname to the container’s IP address. Please add the following entry to the /etc/hosts file:
10.9.0.5 http://seed-server.com
The step is as follows:
Goto the seed@VM:
Please type: sudo nano /etc/hosts
Goto the end
Please type: 10.9.0.5 http://seed-server.com
Ctrl X to save
For task 2.1, this lab does not accept the “--” as comment. It will provide syntax error.
For task 2.2, for the special characters in the Username or Password fields, you need to encode them properly, or they can change the meaning of your requests. For example, if you want to include single quote in those fields, you should use %27 instead; if you want to include white space, you should use %20. For other special characters like “#”
Please use the following link to check the correct encoding:
Task 1 is to make you familiar with the SQL statement. You can get familiar with it since you need to use it for task 2 but you are not required to put the screenshot of Task 1 in the report. Please write your lab report according to the description of task 2.1, 2.2 and 2.3. Upload your answers as a PDF to Canvas. In your report, please contain two parts: (1) show your screenshot of code and some description of your code to analyze why your code looks like this; (2) show your screenshot of successful attack.
