HW11: SQL Injection due Mon 13 Nov 23:59

\begin{purpose} In this assignment you'll practice SQL injection and solve a fou... ...ssignment gives additional practice with Burpsuite and CherryTree. \end{purpose}

Overview

In this assignment you will solve the four-star SQL injection challenge in The Juice Shop called “User Credentials”. In this challenge you are asked to retrieve a list of all user credentials via SQL injection.

CherryTree

In CherryTree use the document named juice_shop.ctb that you created in the previous assignment and add a top-level node named Four-Star Challenges. Within that node add a subnode named User Credentials. You will document your work in that node.

In your Kali machine you need to run the Juice Shop server, Burpsuite, and Firefox. Once the Juice Shop server is running you can connect to it from Firefox.

Give very specific documentation of things you tried and the results you got as you try to solve this challenge. As always, try to solve this with as few hints as possible. In the next section of this assignment I list some progressively more helpful hints if you need them.

Some Hints If You Need Them

HINT 1: Click the hint button beside the challenge in the Juice Shop score board to read a high-level hint.
HINT 2: Skim through the SQL Injection lecture and make notes about the structure of the Users table in the walk through of the “Log in as Admin” challenge (starts at about 11:00).
HINT 3: Rewatch the last part of the SQL Injection lecture where hints are given for solving this assignment (starts about 17:30).
HINT 4: Here's an example of a UNION query (that is different than the one you'll need, but gives the idea): 
SELECT id, title, description FROM book UNION SELECT age, name, notes FROM author
In this example we have two separate queries from two separate tables that will have their results shown together in a single result. This works because both queries have three columns and the columns are integer, string, and string.

Using a UNION to exfiltrate data from a search form is a common pattern. To get it to work we just have to find out how many columns are in the first query. The query results may give that information away or we may have to guess it by trying consecutively longer queries until we no longer get an error.

HINT 5: Once you have a UNION query that seems like it should work you'll need to URL encode it and then paste the URL-encoded string into BurpSuite's repeater before sending it to the application. Once you get it to work, the search results should show all the entries in users table!

Screenshot and Save Progress

Don't forget to paste the JSON results into your CherryTree document!

Once the challenge has been solved, revisit the score board. Modify the view to show show four-star puzzles and include in the list the solved puzzles. Take a screenshot of the list showing your solved challenge and put the screenshot in the top-level node called Four-Stars in the CherryTree document.

The Juice Shop app will attempt to save progress from previous work, but just to be safe you should visit the score board and click the download button to save challenge progress.

Turn In Your Work

Turn in your work by uploading your completed CherryTree document to this assignment in Canvas.

Course Resources

Grades and Homework

Quick Links