CMSC 414: Computer and Network Security (Univ. of Maryland) 13
• Can you find a way to modify the database (still using the above SQL query)? For example, can you
add a new account to the database, or delete an existing user account? Obviously, the above SQL
statement is a query-only statement, and cannot update the database. However, using SQL injection,
you can turn the above statement into two statements, with the second one being the update statement.
Please try this method, and see whether you can successfully update the database. To be honest, we
are unable to achieve the update goal. This is because of a particular defence mechanism implemented
in MySQL. In the report, you should show us what you have tried in order to modify the database.
You should find out why the attack fails, what mechanism in MySQL has prevented such an attack.
You may look up evidences (second-hand) from the Internet to support your conclusion.
Submission: Your task is to log in as bob without using his password. Please submit a file called
task7.txt. The first two lines should be the values you entered in the login and password fields sur-
rounded by double quotes. The two lines should look exactly as follows, with your inputs in place of the
login=" "
password=" "
Follow this with a short explanation of what your input causes to happen. Also include a description of
what you tried to enter in order update the database, and your conclusions as to why it failed.
3.2 Task 8: SQL Injection on UPDATE Statements
When users want to update their profiles in phpBB2, they can click the Profile link, and then fill in a form
to update the profile information. After the user sends the update request to the server, an UPDATE SQL
statement will be constructed in include/usercp register.php. The objective of this statement
is to modify the current users profile information in phpbb users table. There is a SQL injection
vulnerability in this SQL statement. Please find the vulnerability, and then use it to do the following:
• Change another users profile without knowing his/her password. For example, if you are logged in
as Alice, your goal is to use the vulnerability to modify Bob’s profile information, including Bobs
password. After the attack, you should be able to log into Bobs account.
Tools Print out debugging information. When we debug traditional programs (e.g. C programs) without
using any debugging tool, we often use printf() to print out some debugging information. In web applica-
tions, whatever are printed out by the server-side program is actually displayed in the web page sent to the
users; the debugging printout may mess up with the web page. There are several ways to solve this problem.
A simple way is to print out all the information to a file. For example, the following code snippet can be
used by the server-side PHP program to print out the value of a variable to a file.
$myFile = "/tmp/mylog.txt";
$fh = fopen($myFile, a) or die("cant open file");
$Data = "a string";
fwrite($fh, \$Data . "\n");
fclose($fh);
A useful Firefox Add-on. Firefox has an add-on called ”Tamper Data”, it allows you to modify each
field in the HTTP request before the request is sent to the server. For example, after clicking a button on
a web page, an HTTP request will be generated. However, before it is sent out, the ”Tamper Data” add-
on intercepts the request, and gives you a chance to make an arbitrary change on the request. This tool is
quite handy in this lab. The add-on only works for Firefox versions 3.5 and above. If your firefox has an