[SOLVED] CS6035 Database Security

95.00 $

Category: Tags: , , ,
Click Category Button to View Your Next Assignment | Homework

You will receive the following solution file(s) instantly after successful payment:

zip file icon project_dbsec_solution-and-steps-ku7gmd.zip (51.4 KB)
Assignment Instructions Updated Recently? Submit Below and we will provide new Solution!
Submit New Instructions
🔒 Securely Powered by:
Secure Checkout
5/5 - (2 votes)

2024 SOLUTION:https://www.ankitcodinghub.com/product/2024-project-database-security-solved/

2024 SUMMER SOLUTION: LINK

This post is to announce that the Database Security project releases at midnight on Wednesday, September 6. You will have ten days to finish, and it will close on Saturday, September 16th at 11:59 PM EDT. Instructions are here:
https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/DatabaseSecurity/

The project (and most other subsequent projects) will be performed on a class VM that already has all of the projects. Each project will have its own username and password to log into the VM to do work. For the DB Security project, this is the username and password:
User name: dbsec
Password: sql-slammer-2003

VirtualBox can be downloaded from here:
https://www.virtualbox.org/

The VM image may be downloaded from here:
https://cs6035.s3.amazonaws.com/CS6035-Fall-2023-RC1.ova

Hash/Checksum of VM Image

Algorithm : SHA256

Hash      : DD5892C4D5139F224367B838E2497F2573C3AB7EBAA7182D7588987928B0AC47

You will need a program to run virtual machines, but for this class, the TA team is only supporting the latest version of VirtualBox. If you try other hypervisors, they might work, but if you run into trouble the TA team will not assist you. Also, Apples that use the Mx (M1 or M2) processors cannot run this VM and therefore also will not be supported.

Please reference the FAQ for the project which we will add to as the project goes forward (this is the first term we will be running this project as a required project for the entire class so I expect to learn a few things along the way).

Do I need to use the provided VM for this project?

  • Yes. You won’t be able to complete the project without using it, as the environment is set up expressly to handle this project.
    **NOTE: **To ensure that the autograder accurately grades your submission, create your .json file in a text editor on the VM and submit it from the VM. Do not use a Word document program like LibreOffice or Word. The submission must be in proper JSON format for the autograder to give credit.

The version of Virtual Box used to create the VMs: 7.0.8 r156789 (Qt5.15.2)

VMWare Workstation 17 has been tested; however, VirtualBox 7.0 is recommended.

  1. Q)Where do I download the VM?
  • The link will be provided in the ED Post for the release of the project.
  1. Q) I have an M1-based Mac. Can I run the VM?
  • No, you have to use an Intel/AMD-based x86_64 CPU for this project
  1. Q) The VM Password is:

to be announced when the project is open

  1. Q) Should I update the VM?
  • There is not a reason to update the machine.
  • You can allocate more resources via the Virtual Box (or another platform) configurations depending on your local host, but you shouldn’t need to.
  1. Q) My Virtual Machine is slow or not turning on; what should I do?
  • Feel free to increase the amount of RAM in the Virtual Machine. You may also have to disable 3D acceleration within the Virtual Machine.
    • By default the VM runs with a single core and 2GB RAM. The recommended order of operation to try is as follows:
      • Try disabling 3D acceleration 1st
      • Add a second core
      • Double the memory to 4GB
  • While the below setup is not fully supported for this project and any changes you make to your setup are at your acceptance of risk, if the GUI is still extremely slow/unusable, then you can try (not advised or supported):
    • With the VM off, right-click on the VM (CS6035-Student-Summer-2023-DBSec and click Settings.
    • Click on the Network Option.
    • Use Port Forwarding in the VM by changing the Network Adapter to NAT, expanding the Advanced **Options, click the **Port Forwarding button.
  1. Click on the Green Plus Icon and change the Host Port to 80 and Guest Port to 80. *You may need to enter 127.0.0.1 for the Host IP and 10.0.2.15 for the Guest IP
  2. If you are running a Web Service (i.e. IIS or Apache) on your Workstation that is using port 80, stop the service.
  3. Start the VM
  4. Log in to the VM

* Username: Provided on project release

* Password: Provided on project release

  1. Start the Container:

+ Click on the Menu Launcher Start Button (Hummigbird bottom).

+ Choose The Menu Option System Tools, then the Menu Link QTerminal.

+ Inside the Terminal window run the command: **sudo bash StartContainer.sh**

+ You may close the Terminal Window after you see the output: Container Started, currrent datetime.

  1. Notice also that the VM is set to mimic a real-world situation so that the links will come back not as localhost / 127.0.0.1 but as: \

www.gt-cs6035.com

www.homesandmore.com

www.mainstreethospital.com

www.nationalvoterregistration.com

www.communalinsurance.com

www.coderepository.com

www.vinylexpress.com

Your machine (Host) *non-VM, will not know how to resolve these sites. To trick the system, you can edit your hosts file. Cyber attack actors use this tactic to trick you into going to “fake/mimicked” sites. For instance, in your host file, it could have a bogus entry for www.capitalone.com where the site is a duplicate copy; however, it is now controlled by the threat actor, who can steal your credentials easily! * This is not recommended unless you have previous experience MAKE SURE YOU REMOVE THESE ENTRIES UPON COMPLETION OF THE PROJECT** * Edit your Windows Host’s host file: * Windows: c:\Windows\System32\Drivers\etc\hosts **You will need administrative elevation on the text editor you use * Linux: /etc/hosts * Mac: /private/etc/hosts * Add the below lines directly above the last line in the file (# End of section) 127.0.0.1 www.gt-cs6035.com 127.0.0.1 www.homesandmore.com 127.0.0.1 www.mainstreethospital.com 127.0.0.1 www.nationalvoterregistration.com 127.0.0.1 www.communalinsurance.com 127.0.0.1 www.coderepository.com 127.0.0.1 www.vinylexpress.com

  1. Open the browser of choice on your Host and browse go to the url [http://www.gt-cs6035.com](http://www.gt-cs6035.com/intro.html)
  2. Q) I receive an error when importing the OVA (like the one below). What should I do?
  • Update Virtual Box to version 7.0 (specifically 7.0.8)
  1. Q) General Ambiguous errors with importing: “Error When Importing Project E_INVALIDARG (0x80070057)”
  • This usually is due to insufficient space on the hard drive or File System mismatch (file system on Windows needs to be NTFS with VirtualBox).
  • Make sure you also have permission to be allocating storage. If you are on a work laptop with secured partitions, you may be unable to import the VM.
  • You can also try following these steps: https://www.youtube.com/watch?v=7CpkRbVOrpw
  1. Q) VirtualBox is giving me weird “Kernel Driver not installed” errors (Mac).
  1. Q) I bricked the VM (i.e. the VM is no longer functioning).
  1. You will need to restore the VM from the OVA file.

Common troubleshooting steps for VirtualBox

  • enabling/disabling 3d acceleration, giving more video memory
  • increasing CPUs and/or RAM (or if you don’t have enough, maybe lowering those *Already at lowest setting)
  • enabling/disabling PAX/VT-X in the VM system settings
  • changing your Pointing Device (Settings\System) and\or turning off Mouse Pointer Integration (https://superuser.com/a/1375774/440201)
  • disable/turn off screensaver/lock *Already turned off
  • change clipboard to bidirectional – use the VirtualBox Menu (top of VM Application) and choose Devices->Shared Clipboard, and make sure it is set to Bidirectional
  1. Q) Chrome is crashing.
  • disable/turn off the screen saver/lock
  • Make sure the VM Application is started
    • Start the Container:
      • Click on the Menu Launcher Start Button (Hummigbird bottom).
      • Choose The Menu Option System Tools, then the Menu Link QTerminal.
      • Inside the Terminal window run the command: sudo bash StartContainer.sh
      • You may close the Terminal Window after you see the output: Container Started, currrent datetime.
  • After opening Chrome, wait a few seconds to allow outside the network resources to load correctly
  1. Q) I deleted or modified files by accident and can’t get them back
  • You will need to restore the VM from the OVA file
  1. Q) How do I find my gtID?
  1. https://oscar.gatech.edu/
  2. Click “Secure Access Login”
  3. Click “Student Services & Financial Aid”
  4. Click “Student Records”
  5. Click “Unofficial Transcript
  6. At the top right of the screen, you should see your GTID (nine digits) next to your name.
  1. Q)I’m confused about how to start.
  1. Start the Container: + Click on the Menu Launcher Start Button (Hummigbird bottom). + Choose The Menu Option System Tools, then the Menu Link QTerminal. + Inside the Terminal window run the command: sudo bash StartContainer.sh + You may close the Terminal Window after you see the output: Container Started, currrent datetime.
  2. Double-click on Chrome Web Browser Icon on the Desktop (this will open Chrome)
    1. If Chrome does not open to http://www.gt-cs6035.com/intro.html automatically, browse to this website or look for the DBSec Bookmark.
  1. Q) Menu Links do not load / Website(s) are not loading (We’re having trouble finding that site).
  1. Wait a little while as the VM may just be spinning to catch up (typically will be seen if you rush into it after you Start the Container).
  2. Stop the Container: + Click on the Menu Launcher Start Button (Hummigbird bottom). + Choose The Menu Option System Tools, then the Menu Link QTerminal. + Inside the Terminal window run the command: sudo bash StopContainer.sh + You may close the Terminal Window after you see the output: Container Stopped, currrent datetime.
  3. Stop the Container: + Click on the Menu Launcher Start Button (Hummigbird bottom). + Choose The Menu Option System Tools, then the Menu Link QTerminal. + Inside the Terminal window run the command: sudo bash StartContainer.sh + You may close the Terminal Window after you see the output: Container Started, currrent datetime.
  4. Double-click on Chrome Web Browser Icon on the Desktop (this will open Chrome)
    1. If Chrome does not open to http://www.gt-cs6035.com/intro.html automatically, browse to the website as mentioned earlier or look for the DBSec Bookmark.
  5. If you still experience issues, try restarting your VM.
    1. Repeat Steps 2-4
  1. Q)Task 0 submission fails.
  1. Make sure your GTID is correct, with no beginning or ending spaces
  2. Re-complete TASK 0
  1. Q) Task 0 states, “You have reached the maximum # of entries; the VM will need to be restored.”
  • You will need to restore the VM from the OVA file.
  1. Q)Do I need to re-do Task 0 every time I return to the VM to complete another Task?
  • No, you only need to do Task 0 once
    • The exceptions to this are as follows:
      • You did not enter your correct GTID and your Gradescope Submission for Task0 fails.
      • The VM was in an unstable state and not saved correctly. When trying to complete any task you receive the following question in the FAQ.
  1. Q)Task 1-4 states, “Task 0 needs to be completed before this Task is unlocked”. submission fails.
  1. Complete TASK 0
  2. If you already completed Task 0 and the system was reset, compare the hash you received upon your successful Gradescope submission with the hash you receive from re-completing Task 0
  1. Q)I’m confused about how to solve Task(s) 1-4 and how I can solve this.
  1. Read the Writeup and pay close attention to each Tasks section
  2. Read through the corresponding DBSec Task in ED to see if a similar question has already been asked and answered
  3. Post your question in the corresponding DBSec Task in ED
    • Note: All posts made outside the preconfigured DBSec Task posts will be redirected. This includes private posts.
  4. Extra hints for reading the FAQ (not in the Writeup):
    • Report Columns for Tasks 1 and Task 2 are sortable (via click)
    • Javascript debugging via Web Developer Tools is helpful for Tasks 3 and 4
    • The lessons learned, and logic used in Task 1 will help you in Task 2
    • The lessons learned, and logic used in Task 3 will help you in Task 4
    • What does “remembering that they often use the same logic on the client and server side mean?
      • Once you access the client-side code via the browser’s Developer Tools and find out how to bypass its security implementation, you will need to do this a again to bypass the database’s security implementation. The database security logic is the exact same as the client-side security logic.
  1. Q) Should my hashes be of different lengths?
  • flag0 will be your longest hash.
  • flag1 & flag2 (same length) will be your shortest.
  • flag3, flag4, flag5, flag6 (same length) will be between flag0 & flag1/flag2.
  1. Q) Gradescope will not allow any more submissions.
  • There is a limit of ten submissions for this project
  • We are sorry if you have submitted your JSON file ten times, but you may no longer submit for this project.
  • If you feel this is by error, open a private ED discussion asking a TA to review it. Note that any decision will be based on the data provided by the Gradescope audit logs.

 

 

 

Background

Good News, Everyone!” A penetration testing firm has hired you, and as your first assignment, you’ve been given a small portfolio of websites to test. You immediately notice that the pages of different clients look very similar, with similar structure and conventions. With a little more digging, you determine that the same software company created them. Having this information, you know it’s likely that any vulnerability you find on one site will likely be seen on every client’s site. You also recognize the style of the pages and vulnerabilities and feel you have worked with this company in the past, remembering that they often use the same logic on the client and server-side.

Your goal is to bring visibility to these vulnerabilities by finding sensitive data that is not intended to be viewed, as well as testing the client’s security on sites where user input is required. As a pen tester, you will have to wear many hats. Good luck, and we hope you enjoy learning about a couple of database attacks.

SETUP:

To get set up for the tasks, carefully follow the steps below.
Log into the VM with the following user.

Username: Provided on project release

Password: Provided on project release

project_dbsec.json is available on the desktop. Put all hashes in this file and submit it as your final deliverable in Gradescope.

  • To edit project_dbsec.json:
    • Right-click on the file (located on the desktop)
    • Choose the Menu Option Open With
    • Choose the Menu Option Vim

To access the project:

  • Update Notifier Popup Message (May or may not display):
    • You do not need to run the system upgrade and click the cancel button.
  • Start the Container:
    • Click on the Menu Launcher Start Button (Hummigbird bottom).
    • Choose The Menu Option System Tools, then the Menu Link QTerminal.
    • Inside the Terminal window run the command: sudo bash StartContainer.sh
    • You may close the Terminal Window after you see the output: Container Started, currrent datetime.
  • Open Chrome Web Browser:
    • Click on the Menu Launcher Start Button (Hummingbird button).
    • Choose The Menu Option Internet, then the Menu Link Google Chrome.
    • In the addressbar go to the URL http://www.gt-cs6035.com or look for the DBSec Bookmark
  • Start with Task 0
    • Once complete, submit the flag0 hash to verify your GTID is correct, as all Tasks are based on this first hash!
  • Other than Task 0 being completed first, Tasks 1 – 4 can be completed in whatever order you choose. However, the instructions are laid out for simplicity, completing the tasks in order.

GATECH_ID

NOTE: This is not the Georgia Tech Username; it is the gtId you can find on your Buzzcard or by following the below steps:

  1. https://oscar.gatech.edu/
  2. Click “Secure Access Login”
  3. Click “Student Services & Financial Aid”
  4. Click “Student Records”
  5. Click “Unofficial Transcript
  6. At the top right of the screen, you should see your GTID (nine digits) next to your name

Be very careful! When you copy and paste, be sure to strip off all leading spaces or special characters.

 

 

Task 0: GTID Verification (flag0 – 5 pts)

*NOTE – Task 0 has 1 flag (flag0)

This task will set up the rest of the project, which is why we are offering five free points – like where you got bonus points in kindergarten for putting your name (and spelling it right) on a test.

Note that you only have twenty-five attempts at entering your correct GTID, at which point you will be locked out and have to restore your VM.

To earn your hash for flag0, you must perform the following actions.

  1. Click on the Task 0 Menu from the home page. The page will open in a new tab. \
  1. Enter your GTID and click Submit (the URL to obtain your id is provided in the link – Where do I find my GTID?)

Hints:

  • After obtaining your hash, add your flag0 hash into the JSON file and submit it to Gradescope to verify it is correct before proceeding to Tasks 1-4!

Include your flag0 hash into the JSON file, and now, onto Task 1!

 

 

TASK 1: INFERENCE ATTACK- #1 (flag1 – 15 pts)

*NOTE – Task 1 has 1 flag (flag1)

Your first two attacks will involve what is called an inference attack. This is not an actual hack against a system, and it often doesn’t involve hackers at all. Data security is about keeping data confidential on a need-to-know basis, and most data at most companies is secured by permissions that limit who can see data. These permissions can be at the level of the table (the full list of a particular type of data, for instance the employee table contains the basic data about employees), the level of a row (a row in this case would correspond to the record for a single employee), or the level of a column (in this case a piece of information about an employee, like gender or position at work). However, it takes thought and care to maintain these controls, and often they can be inadvertently and carelessly circumvented. An inference attack usually involves access to standard reports available to a wide range of employees. Consider the sensitive area of salary. A company might consider that a column to restrict in terms of access and might well make an employee roster report that anyone could view that does not list people’s salaries. However, there may be other standard reports a company uses that are not carefully designed to protect those controls. By using two or more reports together, a rank-and-file employee can discover salary details they are not supposed to know by combining the information on the two reports and inferring the missing data, thus the name “inference attack”. You use multiple data sets to learn information that you are not supposed to know.

This is what has happened with these first reports you are looking at that were provided to you for testing. You have been given four internal reports for a single company. One report is a simple employee roster, one report lists out how long employees have been members of the organization, one report groups data on all employees together to provide the average salary for employees based upon the state that they live in, and the final report lists the average salary for employees based upon how long they have been a part of the company. Individually, these four reports do not violate the controls that the client has placed on access to sensitive HR data. However, as you do your analysis, you realize that there has been a hole opened in those controls to someone who puts the reports together and does a little analysis of the contents of the reports.

The audit reveals that at minimum at least one person’s salary is publicly available to all employees that can run these four reports. To successfully complete task 1, you need to find a hole in the protection where you can definitively find the actual salary of at least one employee. Each employee will have a hash associated with them. This hash is unique to your VM and was generated when you completed task 0. Once you have identified which employee has the exposed salary, record the hash value displayed for that employee on the report in your JSON file for flag1. You will pass task 1 if you have the correct hash value. Remember that you only get 10 submissions for the entire project, so if you randomly try different hash codes, you will only hurt yourself later in the project.

To earn your hash for flag1, you must perform the following actions.

  1. Hover over the Task 1 Menu, which will display four reports: Employee, Duration, Salary by State, and Salary by Duration. \
  1. Click on the report you want to view (i.e., Employee Report). The report will open in a new tab.
  2. Review the data on all four reports. You are searching through the data to see if you can find at least one employee whose salary you can positively identify exactly.
  3. Once you have found an employee whose salary you know exactly, look at the left of their record on the employee report. In the ID column of the report, there will be a hash (ID) for them. Record this hash and enter it into your JSON file. NOTE: the hashes are generated in connection with your GTID so they will be unique to you and your account.

Hints:

  • You need to find a place where data is isolated to a single person. Look throughout the four reports to see if there is anything that makes the data unique at an individual level. You might need to combine multiple reports to do this.
  • If it looks like a table and acts like a table, it is probably a table. While this is not necessary to complete the task, you can copy data from the report(s) into a spreadsheet program to manipulate it. This may assist you in tracking down the hole that exposes salaries.

Include your flag1 hash into the JSON file, and now, onto Task 2!

 

 

TASK 2: INFERENCE ATTACK- #2 (flag2 – 20 pts)

*NOTE – Task 2 has 1 flag (flag2)

Now that you have seen how an inference attack can compromise data in a single company, we next consider how inference attacks can be used to compromise data by combining unrelated data sets.

For this attack, consider four completely unrelated data sources. All four are internet facing and therefore available to anyone with internet access. The first report is a sample report produced for a local hospital concerning types of procedures done within the last few years. The second report is a voter registration database, which has certain well-established fields in it (you could go to your local board of elections and get a report like this on all registered voters in your district most likely). The third report is a partially de-identified report for an insurance company for a sample data set for public use built by the same developers we have been dealing with. “Partially de-identified” means that though there were some attempts made to remove an obvious link to actual patients, there is still some data left on the report that might link back to a real person if looked at carefully. We also have provided a helpful list of medical codes to link to the hospital report.

The problem here comes from the incomplete deidentification of the data in the insurance company’s claim report. Because of this, it may be possible to join these four sources together somehow to find a specific person’s medical history to know that on a specific date, a specific person had a specific procedure done. This is of course a significant breach of HIPAA regulations (in fact, this exercise was inspired by the incident where the medical history of the governor of Massachusetts was made public in just such a fashion). Your objective in this inference attack is to find a specific person who had a procedure that you can link by name and identity to a specific attack in the medical data using all four data sources. You may want to look up the work done on the patient using the codes in the medical history on the medical codes list, which might be helpful in the process. You will find a hash next to each person in the voter report. Select the correct hash as your response to this task by listing the hash in your JSON file for flag2.

To earn your hash for flag2, you must perform the following actions.

  1. Hover over the Task 2 Menu, which will display four sites: Medical History, Voter Registration, Insurance Claims, and Medical Codes. \
  1. Click on the site you want to view (i.e., Medical History). The site will open in a new tab.
  2. You will need to carefully examine all four sources to see where a patient’s history got compromised. It will be up to you to determine how to do this.
  3. Once you have identified the exposed patient, look up the hash code (ID Column) on the voter registration report for the exposed patient and record it. NOTE: the hashes are specific to you and your GTID as provided in task 0 (and we will use that ID when we grade in Gradescope).

Hints:

  • As with the prior task, feel free to make liberal use of copying data from the VM into a spreadsheet or other similar program on your host, and feel free to do whatever analysis you need to do to figure out the record you seek. As in Task 1, this is not required to complete this task.

Include your flag2 hash into the JSON file, and now, onto Task 3!

 

 

TASK 3: SQL INJECTION – #1 (flag3 – 10 pts / flag4 – 15 pts / flag5 – 15 pts)

*NOTE – Task 3 has 3 flags (flag3, flag4, flag5)

The next two tasks involve the most common database attack – SQL injection. This attack is one of the most common information security attacks in the world, and yet it is also one of the easiest to mitigate (in other words, lazy or careless programming is what causes this attack to be possible). SQL injection is possible when inputs are not sanitized. That sounds complicated, but what that means simply is that when you give someone a form or a web page to enter data, and there are slots for a user to type in, as a programmer you are responsible to ensure that somewhere in the process those input fields are inspected and any bad input is sanitized. SQL injection happens when the contents of the input fields without data sanitization are used in a text string to create a database query and sent to the database server in a form the developer did not intend.

To get into the basics of SQL injection, you can start by looking up online “SQL Injection Cheat Sheet” which is a helpful introduction to the topic. But what you will need to do to accomplish this task is figure out how to write some basic SQL code (the complexity won’t be in the SQL code, but in the bypass of the SQL Injection security) that can be placed into the input field of a form and passed to the website in such a way that it is a valid SQL statement that does things that the original developer did not intend. This can be as simple as simply bypassing security, collecting information you should not have, or at worst you will be making actual changes to the data of the website that the website owners do not want at all. Once the hole exists, your power to exploit it can be immense as long as you can guess the structure of the underlying database, or to map it out.

For Task 3, you have a website where your user ID is your GTID, as you entered on Task 0. The site wants to upgrade its old Legacy Login page. The legacy page’s main security is done by checking to see if there is a direct match to a user by the username (your GTID). You do not know and will not receive the password to enter the system. For flag3, the developers are asking you to determine the difficulty in bypassing the existing security, knowing that a SQL Injection attack is possible. The developers want to make an attempt to mitigate the risk of such an attack; however, they are wondering if they should be using just client-side data sanitization or both client and server-side data sanitization, with the server-side and client-side data sanitization being the same. For flag4, you will attempt to bypass the security using client-side data sanitization. For flag5, you will attempt to bypass the security using both client and server-side data sanitization. The client provided a snippet of the code they used on the legacy login page. You can use this code to try and figure out how to perform the SQL injection. When you succeed, you will log into the website using your GT ID and no password. The injection will bypass the password requirements and log you in immediately. Once logged in, the hash for flag3/flag4/flag5 keyed to your GT ID will be displayed. All three hashes for Task 3 will be different.

To earn your hash for flag3/flag4/flag5, you must perform the following actions.

  1. Hover over the Task 3 Menu, which will display three links: Legacy Login, New Login – Option 1, New Login – Option 2. \
  1. Click on a link. The page will open in a new tab.
  1. For flag3 (Legacy Login) – this is a straight SQL Injection on the password field.
  2. For flag4 (New Login – Option 1) – this is a client-side data sanitization SQL Injection on the password field.
  3. For flag5 (New Login – Option 2) – this is both a client and server-side data sanitization (2x) SQL Injection of the password field.
  1. Enter in your GTID in the username input field and any additional characters in the password input field you determine will cause the injection. Then press the login button to submit.
  2. If your information is correct, you will log into the system and receive your hash.

Hints:

  • For flag4 and flag5, you should use the browser’s Developer Tools to access and debug the client-side code.
  • For flag 5, remember that there will be server-side data sanitization, that you do not have access to, but know the logic will be a duplicate of the client-side data sanitization.
  • There is difference between encoding, escaping, and sanitization. Understand the difference and the validity of using one or the other, remembering that the client/server-side code is doing sanitization.
  • Here is the login code that you were able to obtain from the legacy login page::

function login($username, $password) {

$sql = “SELECT * FROM users WHERE eid=’$username’ AND password=’$password'”;

$userdata = $this->db->query($sql)->next();

if ($userdata) {

return true;

} else {

return false;

}

}

Include your flag3, flag4, and flag5 hash into the JSON file, and now, onto Task 4!

 

 

TASK 4: SQL INJECTION – #2 (flag6 – 20 pts)

*NOTE – Task 4 has 1 flag (flag6)

In this case, you will be looking at a search engine for a database of music albums for a music store. You have discovered that there is a page called “schema” which offers the user a view of the underlying metadata of the table used to populate the main report. By now, if you have been paying attention, the designers of these sites have followed a similar pattern for how their sites work, especially if you look at the hyperlinks that lead to the pages. You know therefore that there is probably a way to get admin access to that schema leveraging that knowledge of how they use links. And that means that there might be table definitions available to users who poke around and try to find things that they should not.

So your task then is first to figure out if you can find any additional information about tables in the database, and second to figure out how to leverage the information you find in the context of a SQL injection. If you are successful in crafting a SQL injection, you will find an actual database account appear on the report that you can use to log into the system using the “Login” screen on task 4. If you have the correct login information you can only obtain by SQL injection, you can enter the login information into that screen and get access to the management console. Of course, for our purposes “management console” is just the hash you need to get credit for the attack. Once the hash appears on the screen, you can enter it into your JSON file.

To earn your hash for flag6, you must perform the following actions.

  1. Hover over the Task 4 Menu, which will display four links: Schema, Report, and Login. \
  1. Click on the link you want to view (i.e., Schema). The link will open in a new tab.
  2. You can use the Schema link to see the schema for the table that is used to build the report. Consider based upon how the links have been designed to this point how you might be able to find out more information than this table. You might need admin access to see information.
  3. Once you have found additional information, consider how you might be able to use it on the report page for a SQL injection.
  4. The report search is a simple “SELECT…..FROM….WHERE” type of query using the schema you can see on the initial schema screen. Based on your previous testing, this probably means you can type in a search that will return rows from other tables in the database than intended. Once you have figured out how to execute the injection, type in your attack into the search field and click “Search”.
  5. Once you have done the injection correctly, you will find a username and a password appear in the report data. Use these values to log into the management console on the “Login” screen. When you have the correct login, you will get into the system and your hash will be displayed. Record the hash into your JSON file and submit to Gradescope.

Hints:

  • You notice that the pages and urls for the different clients look very similar, with similar structure and conventions.
  • How can you add contents from another table to an existing SQL query to return one set of data in a report?
  • You feel you have previously worked with this company, remembering that they often use the same logic on the client and server-side. As a result, the data sanitization might have some duplication. While you don’t have access to the back end code, you can access the client-side code via the browser’s Developer Tools.
  • There is difference between encoding, escaping, and sanitization. Understand the difference and the validity of using one or the other, remembering that the client/server-side code is doing sanitization.
  • Null works great for a SQLi when you don’t know the schema, and when the developers aren’t expecting it. The developers are looking for it!
  • The login bypass logic you used from Task 3 will not work on Task 4, although the choice to attempt is up to you. We explicitly prevented SQL injection on the login screen for this exercise.

Include your flag6 hash into the JSON file and submit it to Gradescope!

 

 

Troubleshooting:

Am I on the correct page for the flag I am trying to solve?

Your browser tab will start with the flag# followed by what the page is.

i.e. – flag3 – Login (Legacy)

Menu Links do not load / Website(s) are not loading (The site can’t be reached / We’re having trouble finding that site):

  • Stop the Container:
    • Click on the Menu Launcher Start Button (Hummingbird button).
    • Choose The Menu Option System Tools, then the Menu Link QTerminal.
    • Inside the Terminal window run the command: sudo bash StopContainer.sh
    • You can proceed to the next step after you see the following output: Container Started, currrent datetime.
  • Start the Container:
    • Click on the Menu Launcher Start Button (Hummingbird button).
    • Choose The Menu Option System Tools, then the Menu Link QTerminal.
    • Inside the Terminal window run the command: sudo bash StartContainer.sh
    • You may close the Terminal Window after you see the output: Container Started, currrent datetime.
  • Open Chrome Web Browser:
    • Click on the Menu Launcher Start Button (Hummingbird button).
    • Choose The Menu Option Internet, then the Menu Link Google Chrome.
    • In the addressbar go to the URL http://www.gt-cs6035.com or look for the DBSec Bookmark
  • If you still experience issues, try restarting your VM.
    • Repeat Steps 2-4

Copy/Paste betwen Workstation and Virtual Machine is not working:

  1. Start your Virtual Machine (VirtualBox) Application (Image)
  2. Use the VirtualBox Menu (top of VirtualBox Application) and choose Devices->Shared Clipboard, and make sure it is set to Bidirectional

Task 0 submission fails:

  1. Make sure your GTID is correct, with no beginning or ending spaces
  2. Make sure everything in between the “” is replaced with your hash (this includes the <>
  3. Re-complete TASK 0

Tasks 1-4 states that “Task 0 needs completed before this Task is unlocked”:

  1. Complete TASK 0
  2. If you already completed Task 0 and the system was reset, compare the hash you received upon your successful Gradescope submission with the hash you receive from re-completing Task 0

Task 0 states, “You have reached the maximum # of entries; the VM will need to be restored”:

  1. You will have to restore the VM from the OVA file.

I bricked the VM (i.e. the VM is no longer functioning):

  1. You will have to restore the VM from the OVA file.

Gradescope will not allow any more submissions:

  1. There is a limit of ten submissions for this project
  2. If you have submitted your JSON file 10 times, we are sorry, but you may no longer make a submission for this project.
  3. If you feel this is by error, open a private ED discussion asking a TA to review it. Note that any decision will be based on the data provided by the Gradescope audit logs.

Error page

Wait a litle and retry (it may be a VM speed issue)

  • Close your browser
  • Access the page that errored

If the above did not resolve the error:

  • Stop the Container:
    • Click on the Menu Launcher Start Button (Hummingbird button).
    • Choose The Menu Option System Tools, then the Menu Link QTerminal.
    • Inside the Terminal window run the command: sudo bash StopContainer.sh
    • You can proceed to the next step after you see the following output: Container Stopped, currrent datetime.
  • Start the Container:
    • Click on the Menu Launcher Start Button (Hummingbird button).
    • Choose The Menu Option System Tools, then the Menu Link QTerminal.
    • Inside the Terminal window run the command: sudo bash StartContainer.sh
    • You may close the Terminal Window after you see the output: Container Started, currrent datetime.

If the above did not resolve the error:

  • Restart the VM
  • Login to the VM
  • Stop the Application:
    • Click on the Menu Launcher Start Button (Hummingbird button).
    • Choose The Menu Option System Tools, then the Menu Link QTerminal.
    • Inside the Terminal window run the command: sudo bash StopContainer.sh
    • You can proceed to the next step after you see the following output: Container Stopped, currrent datetime.
  • Start the Application:
    • Click on the Menu Launcher Start Button (Hummingbird button).
    • Choose The Menu Option System Tools, then the Menu Link QTerminal.
    • Inside the Terminal window run the command: sudo bash StartContainer.sh
    • You may close the Terminal Window after you see the output: Container Started, currrent datetime.
  • Access the page that errored

If the above did not resolve the error:

  • Restore the VM
  • Start the VM
  • Login to the VM
  • Stop the Container:
    • Click on the Menu Launcher Start Button (Hummingbird button).
    • Choose The Menu Option System Tools, then the Menu Link QTerminal.
    • Inside the Terminal window run the command: sudo bash StopContainer.sh
    • You can proceed to the next step after you see the following output: Container Stopped, currrent datetime.
  • Start the Container:
    • Click on the Menu Launcher Start Button (Hummingbird button).
    • Choose The Menu Option System Tools, then the Menu Link QTerminal.
    • Inside the Terminal window run the command: sudo bash StartContainer.sh
    • You may close the Terminal Window after you see the output: Container Started, currrent datetime.
  • Access the page that errored

 

 

 

File submission instructions:

This project needs to be submitted via Gradescope. Navigate to the course in Canvas, click ‘Gradescope’, click ‘Project DBSec’, and submit there.

There is a limit of ten submissions to Gradescope for this project. This is more than enough submission attempts. Task 0 should only take 1 submission (2 if you typed your id wrong *note that the return of the hash also has your gtid for Task 0). Task 3 and 4, as long as your gtid from Task 0 was correct, will only return one possible hash upon completion. This leaves seven attempts for Tasks 1 and 2.

The contents of the submission file should be the following. There is a project_dbsec.json file on the desktop in your VM with a template set up, or you can copy-paste this to your newly created project_dbsec.json file elsewhere and replace the placeholders with the hash you retrieve from each relevant task.

Note: TextEdit, Vim, nano, Notepad++ is recommended to create and edit this file. Do not use LibreOffice or any Word Document editor. It must be in proper JSON format with no special characters to pass the autograder, and these Word Document editors will likely introduce special characters.

If you can’t find the file in the VM, just copy this format below:

{         “flag0”: “<copy hash 0 here>”,         “flag1”: “<copy hash 1 here>”,         “flag2”: “<copy hash 2 here>”,         “flag3”: “<copy hash 3 here>”,         “flag4”: “<copy hash 4 here>”,         “flag5”: “<copy hash 5 here>”,         “flag6”: “<copy hash 6 here>” }

An example of what the submitted file content should look like:

{         “flag0”: “f7e194f29d16585c0f67fd3fd80708da918248870724535d32db2b3d80519”,         “flag1”: “5b6f185b9e8c6”,         “flag2”: “04dd7275ae252”,         “flag3”: “29dfd3ff18d7f47c31aba16afaf50”,         “flag4”: “67faba1d6f18e1945d707245113d3”,         “flag5”: “6cda4ff7c31aba10f1bb1cb88d7f4”,         “flag6”: “f66113d6afaf5f7fba34bc05429a7” }

 

  • project_dbsec_solution-and-steps-ku7gmd.zip