Assignment 6. This lab should be performed under the Oracle Linux VM provided in the course.

Transcription

1 Assignment 6 This assignment includes hands-on exercises in the Oracle VM. It has two Parts. Part 1 is SQL Injection Lab and Part 2 is Encryption Lab. Deliverables You will be submitting evidence that you have completed all steps in this assignment by documenting each step including the input and output of the queries/scripts in SQL*Plus. Also include screen captures and explanations where appropriate. Include both Part 1 and Part 2 in a single file. Name this file as lastnamefirstname_assign6.doc. Upload the files to the Blackboard. Part 1. SQL Injection Lab Purpose The goal of this lab is to demonstrate SQL Injection techniques to exploit vulnerabilities in application code and gain access to sensitive database information. Setup This lab should be performed under the Oracle Linux VM provided in the course. 1. Start your Oracle Linux VM through the Oracle VM VirtualBox Manager. 2. Login as the Oracle user. Username: oracle Password: metcs Double-click the "Firefox Web Browser" icon (Figure 1) on the Desktop. Figure 1: Firefox Icon 4. In the browser address field type the URL: 5. The SQL Injection Examples page opens (Figure 2). Page 1 of 13

2 Figure 2: SQL Injection Examples Page Once you have the SQL Injection Examples page open, follow the instructions for each of the four parts of the lab below. Part 1-1 For Part 1-1 of the assignment you will use the search application (Figure 3) located on the VM at: Figure 3: SQL Search Page The application uses tables in the HR schema. Page 2 of 13

3 In your answers show the full SQL Injection string and a screen shot of the search results screen(s) as shown in the two examples below. Example 1 - Use a SQL Injection string in the Search field (Figure 4) to return all records (Figure 5). Answer: Anything' or '1'='1 Figure 4: SQL Injection String Figure 5: Search Results Note: The screen capture above has been cropped, so only partial results are shown. Page 3 of 13

4 Example 2 - Use a SQL Injection string in the Search field (Figure 6) to get the name of the database that the application is connecting to (Figure 7). Answer: Anything' UNION SELECT 'string','string', ora_database_name FROM dual --' Figure 6: SQL Injection String Figure 7: Search Results Complete the following: 1. Use a SQL Injection string in the Search field to get the name of the database user that the application is connecting to the database with. Page 4 of 13

5 2. Use a SQL Injection string in the Search field to get the system privileges granted to the user that the application is connecting to the database with. 3. Use a SQL Injection string in the Search field to get the Social Security Number (SSN) and birthdate for "Michael Hartstein". (Hint: You will need to use a SQL Injection string to get the employee_id first.) Part 1-2 For Part 1-2, you will use the search application (Figure 8) located on the VM at: Figure 8: PL/SQL Search Page The application uses tables in the HR schema. In your answers show the full SQL Injection string and a screen shot of the search results screen(s) and screen shots from SQL*Plus to verify before and after values in the database as shown in the example below. Page 5 of 13

6 Example - Use a SQL Injection string in the Search field to update the Employees table and set the salary of employee Timothy Gates to 1. Answer: 1. First query the employees table (as the hr user) in SQL*Plus to see the salary for Timothy Gates (Figure 9). SQL> select first_name, last_name, salary from employees where last_name='gates' and first_name='timothy'; Figure 9: Query on the Employees Table 2. Type an update SQL Injection string in the Search field as shown below (Figure 10). '); update employees set salary=1 where last_name='gates' and first_name='timothy'; END;--' Figure 10: SQL Injection String Page 6 of 13

7 3. The results screen does not display any errors (Figure 11). Figure 11: Search Results 4. Query the employees table again in SQL*Plus to see the salary for Timothy Gates (Figure 12). SQL> select first_name, last_name, salary from employees where last_name='gates' and first_name='timothy'; Figure 12: Query on the Employees Table Page 7 of 13

8 Complete the following: 1. Use a SQL Injection string in the Search field to update the Employees table and double the salary of employee Alana Walsh. 2. Use a SQL Injection string in the Search field to insert a new employee into the employees table with employee_id 207 (Hint: You can use a desc employees in SQL*Plus as the hr user to get the fields of the employees table to build your insert statement.) 3. Use a SQL Injection string in the Search field to delete the employee with employee_id 207 in the employees table. Part 1-3 For Part 1-3, you will use the Employee Portal application (Figure 13) located on the VM at: Figure 13: Employee Portal Application Page The application uses tables in the APP schema. The app user password is app. In your answers show the full SQL Injection string and a screen shot of the login results screen(s) as shown in the example below. Page 8 of 13

9 Example - Use a SQL Injection string in the Password field (Figure 14) to get the name of all of the tables in the application user s schema (Figure 15). Answer: Anything' UNION SELECT table_name, 'string' FROM tabs WHERE table_name like '% Figure 14: SQL Injection String Figure 15: Query Results Page 9 of 13

10 Complete the following: The privileged user for this application is the Admin user. 1. Use a SQL Injection string in the Password field to get the password of the Admin user. (Hint: First get the name of the column that contains passwords using user_tab_columns WHERE column_name like '%PASS%.). Note: You must show the login results screen with the password to get full credit. Do not get the Admin password by querying the database outside of the application. 2. Login as the Admin user through the application and add a user. Verify the new user by querying the app_user table in SQL*Plus. 3. Login as the Admin user through the application and delete the user added in question 2. Verify the user was deleted by querying the app_user table in SQL*Plus. Part 1-4 Complete the following: 1. Use a SQL Injection string in any of the applications used in this lab to extract a unique piece of information from the database that was not already covered in this lab. Page 10 of 13

11 Part 2. Encryption Lab Introduction The dbms_crypto package can be used to encrypt data before you store it in the database. Purpose The goal of the lab is to demonstrate, through a hands-on exercise, how to use the dbms_crypto package. Setup This lab should be performed under the Oracle Linux VM provided in the course. 1. Start your Oracle Linux VM through the Oracle VM VirtualBox Manager. 2. Login as the oracle OS user. Username: oracle Password: metcs Open a terminal window by double-clicking the terminal icon (Figure 1). Figure 1. Terminal icon 4. Login to SQL*Plus as the Sys user as sysdba as shown below (Figure 2). The default password is metcs674. Page 11 of 13

12 Figure 2. SQL*Plus Session 5. Grant the execute privilege on the dbms_crypto package to scott. SQL> GRANT EXECUTE ON DBMS_CRYPTO TO scott; 6. Connect as SCOTT/tiger. Note: Unlock the Scott account or change the password if needed. 7. Create the following procedure. The procedure encrypts a string in a Social Security Number (SSN) format and prints the unencrypted and encrypted data. SET SERVEROUTPUT ON DECLARE ssn VARCHAR2(20) := ' '; ssn_raw RAW (100) := UTL_RAW.cast_to_raw(ssn); num_key_bytes NUMBER := 128/8; key_bytes_raw RAW (16); encryption_type NUMBER := DBMS_CRYPTO.ENCRYPT_AES128 + DBMS_CRYPTO.CHAIN_CBC + DBMS_CRYPTO.PAD_PKCS5; encrypted_raw RAW (2000); BEGIN DBMS_OUTPUT.put_line('The Unencrypted SSN is: ' ssn); key_bytes_raw := DBMS_CRYPTO.RANDOMBYTES (num_key_bytes); encrypted_raw := DBMS_CRYPTO.encrypt(src => ssn_raw, typ => encryption_type, key => key_bytes_raw); DBMS_OUTPUT.put_line('The Encrypted SSN is: ' RAWTOHEX(UTL_RAW.cast_to_raw(encrypted_raw))); Page 12 of 13

13 DBMS_OUTPUT.put_line('The Decrypted SSN is: '); END; / 8. Your results should be similar to the following: The Unencrypted SSN is: The Encrypted SSN is: The Decrypted SSN is: PL/SQL procedure successfully completed. Note: The results above do not have the Decrypted SSN value. 9. Modify the procedure from step 7 to use the Advanced Encryption Standard (AES) 256- bit Encryption Algorithm. Also modify the procedure to print the Decrypted SSN value. Your results should be similar to the following: The Unencrypted SSN is: The Encrypted SSN is: The Decrypted SSN is: PL/SQL procedure successfully completed. Page 13 of 13