Post on 25-Jul-2020
Page 1 of 13
Assignment 6
This assignment includes hands-on exercises in the Oracle VM. It has two Parts. Part 1 is SQL
Injection Lab and Part 2 is Encryption Lab.
Deliverables
You will be submitting evidence that you have completed all steps in this assignment by
documenting each step including the input and output of the queries/scripts in SQL*Plus. Also
include screen captures and explanations where appropriate.
Include both Part 1 and Part 2 in a single file. Name this file as lastnameFirstname_assign6.doc.
Upload the files to the Blackboard.
Part 1. SQL Injection Lab
Purpose
The goal of this lab is to demonstrate SQL Injection techniques to exploit vulnerabilities in
application code and gain access to sensitive database information.
Setup
This lab should be performed under the Oracle Linux VM provided in the course.
1. Start your Oracle Linux VM through the Oracle VM VirtualBox Manager.
2. Login as the Oracle user.
Username: oracle
Password: metcs674
3. Double-click the "Firefox Web Browser" icon (Figure 1) on the Desktop.
Figure 1: Firefox Icon
4. In the browser address field type the URL: http://localhost:8888/sql_injection/
5. The “SQL Injection Examples” page opens (Figure 2).
Page 2 of 13
Figure 2: SQL Injection Examples Page
Once you have the “SQL Injection Examples” page open, follow the instructions for each of the
four parts of the lab below.
Part 1-1
For Part 1-1 of the assignment you will use the search application (Figure 3) located on the VM
at: http://localhost:8080/sql_injection/sql_search.html
Figure 3: SQL Search Page
The application uses tables in the “HR” schema.
Page 3 of 13
In your answers show the full SQL Injection string and a screen shot of the search results
screen(s) as shown in the two examples below.
Example 1 - Use a SQL Injection string in the Search field (Figure 4) to return all records
(Figure 5).
Answer: Anything' or '1'='1
Figure 4: SQL Injection String
Figure 5: Search Results
Note: The screen capture above has been cropped, so only partial results are shown.
Page 4 of 13
Example 2 - Use a SQL Injection string in the Search field (Figure 6) to get the name of the
database that the application is connecting to (Figure 7).
Answer: Anything' UNION SELECT 'string','string', ora_database_name FROM dual --'
Figure 6: SQL Injection String
Figure 7: Search Results
Complete the following:
1. Use a SQL Injection string in the Search field to get the name of the database user that the
application is connecting to the database with.
Page 5 of 13
2. Use a SQL Injection string in the Search field to get the system privileges granted to the user
that the application is connecting to the database with.
3. Use a SQL Injection string in the Search field to get the Social Security Number (SSN) and
birthdate for "Michael Hartstein". (Hint: You will need to use a SQL Injection string to get
the employee_id first.)
Part 1-2
For Part 1-2, you will use the search application (Figure 8) located on the VM at:
http://localhost:8080/sql_injection/pl_sql_search.html
Figure 8: PL/SQL Search Page
The application uses tables in the “HR” schema.
In your answers show the full SQL Injection string and a screen shot of the search results
screen(s) and screen shots from SQL*Plus to verify before and after values in the database as
shown in the example below.
Page 6 of 13
Example - Use a SQL Injection string in the Search field to update the Employees table and set
the salary of employee Timothy Gates to 1.
Answer:
1. First query the employees table (as the “hr” user) in SQL*Plus to see the salary for
Timothy Gates (Figure 9).
SQL> select first_name, last_name, salary from employees
where last_name='Gates' and first_name='Timothy';
Figure 9: Query on the Employees Table
2. Type an update SQL Injection string in the Search field as shown below (Figure 10).
'); update employees set salary=1 where last_name='Gates' and
first_name='Timothy'; END;--'
Figure 10: SQL Injection String
Page 7 of 13
3. The results screen does not display any errors (Figure 11).
Figure 11: Search Results
4. Query the employees table again in SQL*Plus to see the salary for Timothy Gates
(Figure 12).
SQL> select first_name, last_name, salary from employees where
last_name='Gates' and first_name='Timothy';
Figure 12: Query on the Employees Table
Page 8 of 13
Complete the following:
1. Use a SQL Injection string in the Search field to update the Employees table and double the
salary of employee Alana Walsh.
2. Use a SQL Injection string in the Search field to insert a new employee into the employees
table with employee_id 207 (Hint: You can use a desc employees in SQL*Plus as the “hr”
user to get the fields of the employees table to build your insert statement.)
3. Use a SQL Injection string in the Search field to delete the employee with employee_id 207
in the employees table.
Part 1-3
For Part 1-3, you will use the Employee Portal application (Figure 13) located on the VM at:
http://localhost:8080/sql_injection/login.html
Figure 13: Employee Portal Application Page
The application uses tables in the “APP” schema. The “app” user password is “app”.
In your answers show the full SQL Injection string and a screen shot of the login results screen(s)
as shown in the example below.
Page 9 of 13
Example - Use a SQL Injection string in the Password field (Figure 14) to get the name of all of
the tables in the application user’s schema (Figure 15).
Answer: Anything' UNION SELECT table_name, 'string' FROM tabs WHERE table_name like '%
Figure 14: SQL Injection String
Figure 15: Query Results
Page 10 of 13
Complete the following:
The privileged user for this application is the “Admin” user.
1. Use a SQL Injection string in the Password field to get the password of the “Admin” user.
(Hint: First get the name of the column that contains passwords using user_tab_columns
WHERE column_name like '%PASS%.).
Note: You must show the login results screen with the password to get full credit. Do not get
the “Admin” password by querying the database outside of the application.
2. Login as the “Admin” user through the application and add a user. Verify the new user by
querying the app_user table in SQL*Plus.
3. Login as the “Admin” user through the application and delete the user added in question
2. Verify the user was deleted by querying the app_user table in SQL*Plus.
Part 1-4
Complete the following:
1. Use a SQL Injection string in any of the applications used in this lab to extract a unique piece
of information from the database that was not already covered in this lab.
Page 11 of 13
Part 2. Encryption Lab
Introduction
The dbms_crypto package can be used to encrypt data before you store it in the database.
Purpose
The goal of the lab is to demonstrate, through a hands-on exercise, how to use the dbms_crypto
package.
Setup
This lab should be performed under the Oracle Linux VM provided in the course.
1. Start your Oracle Linux VM through the Oracle VM VirtualBox Manager.
2. Login as the oracle OS user.
Username: oracle
Password: metcs674
3. Open a terminal window by double-clicking the terminal icon (Figure 1).
Figure 1. Terminal icon
4. Login to SQL*Plus as the Sys user as sysdba as shown below (Figure 2). The default
password is metcs674.
Page 12 of 13
Figure 2. SQL*Plus Session
5. Grant the execute privilege on the dbms_crypto package to scott.
SQL> GRANT EXECUTE ON DBMS_CRYPTO TO scott;
6. Connect as SCOTT/tiger.
Note: Unlock the Scott account or change the password if needed.
7. Create the following procedure. The procedure encrypts a string in a Social Security
Number (SSN) format and prints the unencrypted and encrypted data.
SET SERVEROUTPUT ON
DECLARE
ssn VARCHAR2(20) := '555 55 5555';
ssn_raw RAW (100) := UTL_RAW.cast_to_raw(ssn);
num_key_bytes NUMBER := 128/8;
key_bytes_raw RAW (16);
encryption_type NUMBER := DBMS_CRYPTO.ENCRYPT_AES128
+ DBMS_CRYPTO.CHAIN_CBC
+ DBMS_CRYPTO.PAD_PKCS5;
encrypted_raw RAW (2000);
BEGIN
DBMS_OUTPUT.put_line('The Unencrypted SSN is: ' || ssn);
key_bytes_raw := DBMS_CRYPTO.RANDOMBYTES (num_key_bytes);
encrypted_raw := DBMS_CRYPTO.encrypt(src => ssn_raw,
typ => encryption_type,
key => key_bytes_raw);
DBMS_OUTPUT.put_line('The Encrypted SSN is: ' ||
RAWTOHEX(UTL_RAW.cast_to_raw(encrypted_raw)));
Page 13 of 13
DBMS_OUTPUT.put_line('The Decrypted SSN is: ');
END;
/
8. Your results should be similar to the following:
The Unencrypted SSN is: 555 55 5555
The Encrypted SSN is:
4236303334463144413743373342464535393544463744354434433038343337
The Decrypted SSN is:
PL/SQL procedure successfully completed.
Note: The results above do not have the Decrypted SSN value.
9. Modify the procedure from step 7 to use the Advanced Encryption Standard (AES) 256-
bit Encryption Algorithm. Also modify the procedure to print the Decrypted SSN value.
Your results should be similar to the following:
The Unencrypted SSN is: 555 55 5555
The Encrypted SSN is:
3534373144413932363430423734333038463938353241323841414446353831
The Decrypted SSN is: 555 55 5555
PL/SQL procedure successfully completed.