arrow

SQL Injection And XSS Attack Demonstration Experiment

1. Experiment

1.1 Knowledge points

This experiment primarily demonstrates SQL injection and Cross-Site Scripting (XSS) cyberattacks on Alibaba Cloud ECS instances.SQL injection refers to the insertion of an SQL statement into a web form or the domain name query string. This is done to trick the server into executing a malicious SQL statement.XSS attacks usually exploit a computer security vulnerability in web applications. Hackers can use XSS to implant code in webpages provided to other users.

1.2 Experiment process

  • Test the user logon function of the application system
  • Verify an SQL injection vulnerability and bypass logon authentication

1.3 Cloud resources required

  • ECS

1.4 Prerequisites

  • If you’re using your own Alibaba Cloud account instead of the account provided by this lab to operate the experiment, please note that you’ll need to choose the same Ubuntu 16.04 operating system for your ECS in order to run the experiment smoothly.
  • Before starting the experiment, please confirm that the previous experiment has been closed normally and exited.

2. Start the experiment environment

Click Start Lab in the upper right corner of the page to start the experiment.

image desc.

After the experiment environment is successfully started, the system has deployed resources required by this experiment in the background, including the ECS instance, RDS instance, Server Load Balancer instance, and OSS bucket. An account consisting of the username and password for logging on to the Web console of Alibaba Cloud is also provided.

image desc

After the experiment environment is started and related resources are properly deployed, the experiment starts a countdown. You have an hour to perform experimental operations. After the countdown ends, the experiment stops, and related resources are released. During the experiment, pay attention to the remaining time and arrange your time wisely. Next, use the username and password provided by the system to log on to the Web console of Alibaba Cloud and view related resources:

openCole

Go to the logon page of Alibaba Cloud console.

image desc

Fill in the sub-user account and click Next.

image desc

Fill in the sub-user password and click Log on.

image desc

After you successfully log on to the console, the following page is displayed.

image desc

3. View ECS instances

Click Elastic Compute Service, as shown in the following figure.

image desc

We can see one running ECS instance in Silicon Valley region.

image desc

Copy the public network IP address of the ECS instance to the address bar of your browser.

image desc

You can see the service pages that have been deployed on the ECS instance.

image desc

4. SQL injection attacks

4.1 Normal logon

Enter both correct and incorrect username and password combinations and observe the responses of the application system’s user logon function.

Click Log in.

image desc

Then, enter the correct username and password (test/123456).

image desc

The following information is displayed, indicating successful logon.

image desc

4.2 Incorrect logon

Click the Back icon in the upper-left corner of the browser and then enter an incorrect username and password combination (such as test/abc):

image desc

The following information is displayed, indicating logon failure.

image desc

4.3 SQL injection logon

Now, we will bypass the logon authentication mechanism by exploiting the SQL injection vulnerability through manual injection.On the user logon page, enter the username test' or '1'='1 and any password, as shown in the following figure.

image desc

Click Login.

image desc

This allows you to verify that you have exploited the SQL injection vulnerability and bypassed the logon authentication mechanism.

4.4 code

logincheck.php

<?php  
    if(isset($_POST["submit"]) && $_POST["submit"] == "Login")  
    {  
        $user = $_POST["username"];  
        $psw = $_POST["password"];  
        if($user == "" || $psw == "")  
        {  
            echo "<script>alert('Please input username or password!!!'); history.go(-1);</script>";  
        }  
        else  
        {  
            include("link.php"); 
            $sql = "select username,password from user where username = '$_POST[username]' and password = '$_POST[password]'";  
            $result = mysql_query($sql);  
            $num = mysql_num_rows($result);  
            if($num)  
            {  
                $row = mysql_fetch_array($result);  
                                echo "<script>alert ('Login in successed!!!'); history.go(-1);</script>";  ;  
            }  
            else  
            {  
                echo "<script>alert('Wrong username or password!');history.go(-1);</script>";  
            }  
        }  
    }  
    else  
    {  
        echo "<script>alert('Submit not successed!!!'); history.go(-1);</script>";  
    }  

?>

5. XSS attacks

5.1 demonstration

Using the features of XSS vulnerabilities, you can check if a website has this vulnerability.

Enter a common string in the message board, as shown in the following figure, and click Submit.

image desc

The following information is displayed, indicating that the message has been posted successfully.

image desc

Then, click “List”.

image desc

You will see the message just posted.

image desc

This shows us that there is a likely “storage type” XSS vulnerability.

Therefore, click Comment and enter the following content (with an arbitrary user and title). Then, click Submit.

<script>alert("hacker")</script>

image desc

After the message has been added, click “List”.

image desc

“hacker” is displayed.

image desc

<font color='red'>The user can cut off the above result picture when doing the experiment and send it to the teacher, indicating that the part of the current chapter has been completed.</font>

This result shows that the website definitely has a storage-type XSS vulnerability.By exploiting this vulnerability, we can redirect any user who reads our message to a specified web page. Here, we will redirect users to the Taobao homepage.Click Comment and enter the following content (with an arbitrary user and title). Then, click Submit.

<script>window.open("http://www.taobao.com")</script>

image desc

After the message is added, click “List”. Your browser should open the Taobao website.

image desc

<font color='red'>Users can cut off the above result picture when they are doing the experiment and send it to the teacher, indicating that the current experiment has been completed.</font>

If we change the link address to a pre-constructed malicious page, we could potentially do a great deal of harm to users.We have now demonstrated the effectiveness and great potential danger posed by XSS vulnerabilities.

5.2 code

list.php

<?php
include("link.php");
include("head.php");
?>

<table width=500 border="0" align="center" cellpadding="5" cellspacing="1" bgcolor="#add3ef">

 <?php
 $sql="select * from message ";
 $query=mysql_query($sql);
 while ($row=mysql_fetch_array($query)){
 ?>

 <tr bgcolor="#eff3ff">
  <td> Title: <?php echo $row['title']; ?> Username: <?php echo $row['user']; ?> </td>
  </tr>
  <tr bgColor="#ffffff">
  <td>Content: <?php echo $row['content']; ?></td>
  </tr>

  <?php
 }
  ?>

 </table>

6. Experiment summary

This experiment primarily introduced the general methods of SQL injection and XSS attacks. Both of these attack types are made possible by the improper programming of webpages. Not only can they compromise the web service itself, but they also can directly impact the users who visit the web service. Therefore, the prevention of such attacks is crucial to the security of a website.