Page 1 of 13

Assignment 6

This assignment includes hands-on exercises in the Oracle VM. It has two Parts. Part 1 is SQL

Injection Lab and Part 2 is Encryption Lab.

Deliverables

You will be submitting evidence that you have completed all steps in this assignment by

documenting each step including the input and output of the queries/scripts in SQL*Plus. Also

include screen captures and explanations where appropriate.

Include both Part 1 and Part 2 in a single file. Name this file as lastnameFirstname_assign6.doc.

Upload the files to the Blackboard.

Part 1. SQL Injection Lab

Purpose

The goal of this lab is to demonstrate SQL Injection techniques to exploit vulnerabilities in

application code and gain access to sensitive database information.

Setup

This lab should be performed under the Oracle Linux VM provided in the course.

1. Start your Oracle Linux VM through the Oracle VM VirtualBox Manager.

2. Login as the Oracle user.

Username: oracle

Password: metcs674

3. Double-click the "Firefox Web Browser" icon (Figure 1) on the Desktop.

Figure 1: Firefox Icon

4. In the browser address field type the URL: http://localhost:8888/sql_injection/

5. The “SQL Injection Examples” page opens (Figure 2).

Page 2 of 13

Figure 2: SQL Injection Examples Page

Once you have the “SQL Injection Examples” page open, follow the instructions for each of the

four parts of the lab below.

Part 1-1

For Part 1-1 of the assignment you will use the search application (Figure 3) located on the VM

at: http://localhost:8080/sql_injection/sql_search.html

Figure 3: SQL Search Page

The application uses tables in the “HR” schema.

Page 3 of 13

In your answers show the full SQL Injection string and a screen shot of the search results

screen(s) as shown in the two examples below.

Example 1 - Use a SQL Injection string in the Search field (Figure 4) to return all records

(Figure 5).

Answer: Anything' or '1'='1

Figure 4: SQL Injection String

Figure 5: Search Results

Note: The screen capture above has been cropped, so only partial results are shown.

Page 4 of 13

Example 2 - Use a SQL Injection string in the Search field (Figure 6) to get the name of the

database that the application is connecting to (Figure 7).

Answer: Anything' UNION SELECT 'string','string', ora_database_name FROM dual --'

Figure 6: SQL Injection String

Figure 7: Search Results

Complete the following:

1. Use a SQL Injection string in the Search field to get the name of the database user that the

application is connecting to the database with.

Page 5 of 13

2. Use a SQL Injection string in the Search field to get the system privileges granted to the user

that the application is connecting to the database with.

3. Use a SQL Injection string in the Search field to get the Social Security Number (SSN) and

birthdate for "Michael Hartstein". (Hint: You will need to use a SQL Injection string to get

the employee_id first.)

Part 1-2

For Part 1-2, you will use the search application (Figure 8) located on the VM at:

http://localhost:8080/sql_injection/pl_sql_search.html

Figure 8: PL/SQL Search Page

The application uses tables in the “HR” schema.

In your answers show the full SQL Injection string and a screen shot of the search results

screen(s) and screen shots from SQL*Plus to verify before and after values in the database as

shown in the example below.

Page 6 of 13

Example - Use a SQL Injection string in the Search field to update the Employees table and set

the salary of employee Timothy Gates to 1.

Answer:

1. First query the employees table (as the “hr” user) in SQL*Plus to see the salary for

Timothy Gates (Figure 9).

SQL> select first_name, last_name, salary from employees

where last_name='Gates' and first_name='Timothy';

Figure 9: Query on the Employees Table

2. Type an update SQL Injection string in the Search field as shown below (Figure 10).

'); update employees set salary=1 where last_name='Gates' and

first_name='Timothy'; END;--'

Figure 10: SQL Injection String

Page 7 of 13

3. The results screen does not display any errors (Figure 11).

Figure 11: Search Results

4. Query the employees table again in SQL*Plus to see the salary for Timothy Gates

(Figure 12).

SQL> select first_name, last_name, salary from employees where

last_name='Gates' and first_name='Timothy';

Figure 12: Query on the Employees Table

Page 8 of 13

Complete the following:

1. Use a SQL Injection string in the Search field to update the Employees table and double the

salary of employee Alana Walsh.

2. Use a SQL Injection string in the Search field to insert a new employee into the employees

table with employee_id 207 (Hint: You can use a desc employees in SQL*Plus as the “hr”

user to get the fields of the employees table to build your insert statement.)

3. Use a SQL Injection string in the Search field to delete the employee with employee_id 207

in the employees table.

Part 1-3

For Part 1-3, you will use the Employee Portal application (Figure 13) located on the VM at:

http://localhost:8080/sql_injection/login.html

Figure 13: Employee Portal Application Page

The application uses tables in the “APP” schema. The “app” user password is “app”.

In your answers show the full SQL Injection string and a screen shot of the login results screen(s)

as shown in the example below.

Page 9 of 13

Example - Use a SQL Injection string in the Password field (Figure 14) to get the name of all of

the tables in the application user’s schema (Figure 15).

Answer: Anything' UNION SELECT table_name, 'string' FROM tabs WHERE table_name like '%

Figure 14: SQL Injection String

Figure 15: Query Results

Page 10 of 13

Complete the following:

The privileged user for this application is the “Admin” user.

1. Use a SQL Injection string in the Password field to get the password of the “Admin” user.

(Hint: First get the name of the column that contains passwords using user_tab_columns

WHERE column_name like '%PASS%.).

Note: You must show the login results screen with the password to get full credit. Do not get

the “Admin” password by querying the database outside of the application.

2. Login as the “Admin” user through the application and add a user. Verify the new user by

querying the app_user table in SQL*Plus.

3. Login as the “Admin” user through the application and delete the user added in question

2. Verify the user was deleted by querying the app_user table in SQL*Plus.

Part 1-4

Complete the following:

1. Use a SQL Injection string in any of the applications used in this lab to extract a unique piece

of information from the database that was not already covered in this lab.

Page 11 of 13

Part 2. Encryption Lab

Introduction

The dbms_crypto package can be used to encrypt data before you store it in the database.

Purpose

The goal of the lab is to demonstrate, through a hands-on exercise, how to use the dbms_crypto

package.

Setup

This lab should be performed under the Oracle Linux VM provided in the course.

1. Start your Oracle Linux VM through the Oracle VM VirtualBox Manager.

2. Login as the oracle OS user.

Username: oracle

Password: metcs674

3. Open a terminal window by double-clicking the terminal icon (Figure 1).

Figure 1. Terminal icon

4. Login to SQL*Plus as the Sys user as sysdba as shown below (Figure 2). The default

password is metcs674.

Page 12 of 13

Figure 2. SQL*Plus Session

5. Grant the execute privilege on the dbms_crypto package to scott.

SQL> GRANT EXECUTE ON DBMS_CRYPTO TO scott;

6. Connect as SCOTT/tiger.

Note: Unlock the Scott account or change the password if needed.

7. Create the following procedure. The procedure encrypts a string in a Social Security

Number (SSN) format and prints the unencrypted and encrypted data.

SET SERVEROUTPUT ON

DECLARE

ssn VARCHAR2(20) := '555 55 5555';

ssn_raw RAW (100) := UTL_RAW.cast_to_raw(ssn);

num_key_bytes NUMBER := 128/8;

key_bytes_raw RAW (16);

encryption_type NUMBER := DBMS_CRYPTO.ENCRYPT_AES128

+ DBMS_CRYPTO.CHAIN_CBC

+ DBMS_CRYPTO.PAD_PKCS5;

encrypted_raw RAW (2000);

BEGIN

DBMS_OUTPUT.put_line('The Unencrypted SSN is: ' || ssn);

key_bytes_raw := DBMS_CRYPTO.RANDOMBYTES (num_key_bytes);

encrypted_raw := DBMS_CRYPTO.encrypt(src => ssn_raw,

typ => encryption_type,

key => key_bytes_raw);

DBMS_OUTPUT.put_line('The Encrypted SSN is: ' ||

RAWTOHEX(UTL_RAW.cast_to_raw(encrypted_raw)));

Page 13 of 13

DBMS_OUTPUT.put_line('The Decrypted SSN is: ');

END;

/

8. Your results should be similar to the following:

The Unencrypted SSN is: 555 55 5555

The Encrypted SSN is:

4236303334463144413743373342464535393544463744354434433038343337

The Decrypted SSN is:

PL/SQL procedure successfully completed.

Note: The results above do not have the Decrypted SSN value.

9. Modify the procedure from step 7 to use the Advanced Encryption Standard (AES) 256-

bit Encryption Algorithm. Also modify the procedure to print the Decrypted SSN value.

Your results should be similar to the following:

The Unencrypted SSN is: 555 55 5555

The Encrypted SSN is:

3534373144413932363430423734333038463938353241323841414446353831

The Decrypted SSN is: 555 55 5555

PL/SQL procedure successfully completed.