1307831761-CSE565_lab2_template_Koushik_Kumar_Selvakumar

pdf

School

Texas A&M University *

*We aren’t endorsed by this school

Course

565

Subject

Computer Science

Date

Feb 20, 2024

Type

pdf

Pages

14

Uploaded by CaptainNeutron8685

Report
CSE565 Lab 2 Name : KOUSHIK KUMAR SELVAKUMAR Email : selvaku2@buffalo.edu UBID : selvaku2 UB Number : 50547808 Before You Start: Please write a detailed lab report, with screenshots , to describe what you have done and what you have observed . You also need to provide explanation to the observations that you noticed. Please also show the important code snippets followed by explanation. Simply attaching code without any explanation will NOT receive credits. After you finish, export this report as a PDF file and submit it on UBLearns. Academic Integrity Statement: I, Koushik Kumar Selvakumar, have read and understood the course academic integrity policy. (Your report will not be graded without filling your name in the above AI statement) Task 1: Get Familiar with SQL Statements In this task we have to login to mysql database to show tables and the Alice’s Credential table. Figure 1 Shows the login and loading the database. Figure 2 shows the Overall Credential table and Alice’s Credential table.
Figure 1: Loading the Database Figure 2: Showing The Credential Table. I have used command line “ Select * from credential; “ to show the table and “ select * from credential where name = ‘Alice’; “ to display the Alice’s credential table . Task 2: SQL Injection Attack on SELECT Statement Task 2.1: SQL Injection Attack from webpage. In this task, We need to log in to the admin page without using any employee credentials. Figure 3 illustrates logging in to the webpage for SQL injection.
Figure 3: Logging in without Employee Credentials I have used “ admin’;#” as username to login into webpage without Password. Figure 4 shows the detailed table of all Employee after logging in into SQL Injection Webpage without their credentials. Figure 4: Employee Detail After Logging In
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Task 2.2: SQL Injection Attack from command line. In this task, we have to perform the attack by logging in to the admin credential in the terminal without knowing any employee credentials. Figure 5 shows the command line to login to the admin. Figure 5: command line to login without credentials in the terminal. Figure 6 shows the employee details in the terminal. Figure 6: Employee Details in the terminal
Task 2.3: Append a new SQL statement. In this task, a SQL injection attack must be used to update the database. Multiple SQL statements have to be used, each one separated by a ";". Command line use to Update the Database in the website login page. alice'; UPDATE credential SET Salary ='2000' WHERE name='alice' ;# Figure 7: Command to Update Database in Webpage login. As the webpage allows only single SQL statement, we couldn’t able to perform SQL Injection Attack using Multiple SQL statement in the webpage login. Figu re 8 shows the error which couldn’t able to perform the given query.
Figure 8: Error to perform given query. Task 3: SQL Injection Attack on UPDATE Statement Task 3.1: Modify your own salary. In this task, we need to update the database by using SQL injection attack in the webpage by updating the salary of Alice. Figure 9 shows the SQL update performing in Alice’s Profile. Figure 9: Modifying Alice Salary Figure 10 shows the modified Alice Salary. Before Modification Alice salary was “20000”. After the modification Alice Salary is “65000”
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Figure 10: Modified Alice Profile. The query to modify the Alice salary was performed in the Phone number column and the query is “ 716-000-0000', salary = '65000 Task 3.2: Modify other people’ salary. After Modifying the Alice Salary we need to perform the same task from Alice Profile to Modify Boby’s Salary to ‘ 1 ’. To perform this attack, I have used Alice Profile to run the query ', salary = '1' WHERE name = 'Boby'# .
Figure 11: Modifying Boby’s Salary. After Performing the Attack. Figure 12 Shows the Updated Boby’s salary to “1”. Figure 12: Updated Boby’s Salary. Task 3.3: Modify other people’ password. In this task, we must use a SQL Injection attack using Alice's profile to alter Boby's password. In order to change Boby's password, we must first transform the password into a hash code and then inject that hash
code into the database in Alice's profile. We start by establishing a password. The password is then transformed into a hash code using SHA1 , as seen in figure 13. Figure 13: Converting the Password into hash code using SHA1. Password Used: CaptMill@oct16 Hash Code: 0089fb19ad8b750fea12c48e85a83b4198a117ab After getting the Hash code,we update Boby’s password by injecting the hash code in Alice’s profile. Query used to update Boby’s password is ',password = '0089fb19ad8b750fea12c48e85a83b4198a117ab' WHERE name = 'Boby'# . Figure 14 shows the performing of SQL attack in Alice’s Profile to update Boby’s Profile.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Figure 14: Modifying Boby’s Password. After updating the password we are now logging into the Boby’s profile shown in Figure 15. Figure 15: Logging in to the Boby’s Profile using the Updated Password. Boby’s Profile is successfully logged in and we could be able to access the data of Boby which is shown in Figure 16.
Figure 16: Boby’s Profile. Task 4: Countermeasure Prepared Statement In earlier tasks, we discovered how to use SQL injection Attack to target databases. In this task, we are to provide countermeasure against the SQL injection attack that we conducted before and implement it in the webpage. To perform t his we need to modify query in “unsafe.php” from the given zip file. Figure 17 shows the unsafe.php file before making changes in it.
Figure 17: unsafe.phpfile Before Modification. Figure 18: unsafe.phpfile After Modification. After Modifying the unsafe.php as shown in Figure 18,we now check whether the webpage is logging in without the credentials.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Figure 19: Logging in with Boby’s Crendentials. Figure 20: Successfully Logged in into the Boby’s Profile. Figure 21: Error in Logging in to the Database without Password.
After taking the countermeasures to defend against the SQL injection attack by modifying the unsafe.php file, We weren’t able to login to the database without using the employee's credentials by injecting a SQL attack.

Related Documents

SQLQuery.sql
[Coding Exercise] Week 10 - Interactive image processor.pdf
image.jpg
546.pdf
IMG_1893.jpeg
CIS305 1.3 Linux Kernel Modules.docx
Review Test Submission_ Chapter Thirteen Quiz - Recursion &.._.pdf
CIS305 3.2.docx
CIS305_GP1.7.docx
Assingnment # 8 - Professional Pathway Exploration Reflection - 2022.docx
Chapter 3 Assignments.doc
gp-2603-l03-measurements.pdf
Recommended textbooks for you
Text book image
Database Systems: Design, Implementation, & Manag...
Computer Science
ISBN:9781305627482
Author:Carlos Coronel, Steven Morris
Publisher:Cengage Learning
Text book image
Microsoft Visual C#
Computer Science
ISBN:9781337102100
Author:Joyce, Farrell.
Publisher:Cengage Learning,
Text book image
Np Ms Office 365/Excel 2016 I Ntermed
Computer Science
ISBN:9781337508841
Author:Carey
Publisher:Cengage
Text book image
COMPREHENSIVE MICROSOFT OFFICE 365 EXCE
Computer Science
ISBN:9780357392676
Author:FREUND, Steven
Publisher:CENGAGE L
Text book image
Database Systems: Design, Implementation, & Manag...
Computer Science
ISBN:9781285196145
Author:Steven, Steven Morris, Carlos Coronel, Carlos, Coronel, Carlos; Morris, Carlos Coronel and Steven Morris, Carlos Coronel; Steven Morris, Steven Morris; Carlos Coronel
Publisher:Cengage Learning
Text book image
Programming Logic & Design Comprehensive
Computer Science
ISBN:9781337669405
Author:FARRELL
Publisher:Cengage
SEE MORE TEXTBOOKS
Recommended textbooks for you
Text book image
Database Systems: Design, Implementation, & Manag...
Computer Science
ISBN:9781305627482
Author:Carlos Coronel, Steven Morris
Publisher:Cengage Learning
Text book image
Microsoft Visual C#
Computer Science
ISBN:9781337102100
Author:Joyce, Farrell.
Publisher:Cengage Learning,
Text book image
Np Ms Office 365/Excel 2016 I Ntermed
Computer Science
ISBN:9781337508841
Author:Carey
Publisher:Cengage
Text book image
COMPREHENSIVE MICROSOFT OFFICE 365 EXCE
Computer Science
ISBN:9780357392676
Author:FREUND, Steven
Publisher:CENGAGE L
Text book image
Database Systems: Design, Implementation, & Manag...
Computer Science
ISBN:9781285196145
Author:Steven, Steven Morris, Carlos Coronel, Carlos, Coronel, Carlos; Morris, Carlos Coronel and Steven Morris, Carlos Coronel; Steven Morris, Steven Morris; Carlos Coronel
Publisher:Cengage Learning
Text book image
Programming Logic & Design Comprehensive
Computer Science
ISBN:9781337669405
Author:FARRELL
Publisher:Cengage
SEE MORE TEXTBOOKS