 We've already set up a virtual network of five nodes using topology seven undervert net So those five nodes are running in Virtual box and we have this topology. We have a a browser on node one a web server for my uni the real my uni website on node four and We have a malicious user on node two using a browser and they have a web server on node five in this Demonstration we're going to do an SQL injection attack. So in fact, we only need a Single browser. So will we know to the malicious user and I'll access the my uni the real my uni website We don't need node five or node one in this case remembering the The access control of the my uni website means that a student user can only see their own grades So let's consider node two our malicious user In node two as the malicious user, we're going to access the grading website So we'll open that using links our web browser and we can log in and we're going to assume where the Student user s followed by seven zeros. So we'll type in the username our password we'll log in as as the malicious user and It logs in and We can view our own grades. So The system allows us to see the grades for COIT two oh two six two Okay, I can see my own grade now the challenge is to try to see another student's grade So another student is one two three four five six seven and when we try to do that And we see that it says you can only view your own grades So what we would like to do is defeat this security we can try With no course code. So still try to view this other students grades we can use no course code and Again, you can only view your own grades What can we do to try to View the grades of other students, well, we'll try eventually an SQL injection attack and To do that we need some knowledge of how the website or the web application works on the server So we're going to have a look at the server and the web pages we're going to the Directory for the web pages the grading system. We see that there's some PHP and HTML files that implement the grading system index login a query page is the page which We see when we type in our ID and course code. So it's a form and The form supports two fields two intro fields and a submit button and then when we submit we get the View page so let's look at the source code for those first looking at the source code for the query page and We'll briefly go through the main parts relevant to the attack We'll not explain all the PHP The query page the user is logged in This is the form code if you look closely, it's HTML and The action is when the submit submit button is press the the fields will be posted to the view dot PHP file so that's the submit button and There are two fields. There's a student ID and course code and they are given the post variable names ID and course so when a user posts that Those values are processed by the view PHP file. So let's see how that process is that so The two fields were submitted via post. So these lines of code Extract them and store in the variables are called ID and course. So anything submitted by the form is stored in ID and course so what the view page does if everything's normal is it will use the ID and course to do a query on a database a MySQL query and Get the student data and display it on the screen So Of course, you need to be logged in and query just for you if you're logged in a Steve You can see any students, but if you're logged in as a student user, you can own the ID Must match your logged in username. So that's the code that does that on the screen there Assuming that's the case. So where the ID we're searching for is the same as the student and we're logged in as If it's not if they don't match that you get the you can only view your own grades So if we try to search for another students grades, it will Not perform the SQL query. So we must use our logged in users ID And if we do here's the MySQL query So first we do a connection to the database and there's two cases There's if you have an empty course, it does one query where it doesn't continue consider the course and then the other for a full course So let's look and see An example and see what that looks like in the in the source code So we source search for our all zeros the malicious user and the course code to COIT 20262 and it shows us the grade With respect to the source code of view PHP what's happening Well, the course code was included so we consider this second query Where we select everything select star from the table Course grades and then the condition So normally we'd return all values But we place the condition that the student ID field must match their ID that we enter s followed by seven zeros in our example So that puts the condition only return the fields which with that student ID Meaning we cannot see other student IDs if we used a different student ID the the access control would not work and The course code is entered there. So essentially it runs a query on the database that returns every row which has a student ID and The corresponding course code and it orders them by a student ID That's the normal behavior and then the results are fetched and displayed on the screen. So that's For example, the grades are and the course and the grade Now What we want to do as the attacker we know that we cannot modify the student ID But so we want to try and attack where we submit in this case a different course code and Try and create a query such that we can see the the grades of other students What I'll do is run the query first and then we'll see how it works. So we're adding this extra values on the course code and You see the apostrophe or one equals one now we'll explain what that does in a moment, but of course we've got the malicious user student ID and Know what happens here. We see the grades of all students So here our attack has worked We not only see our grade, but we see the grades for the other students s one two three four five six seven So here we've performed an attack and defeated the security mechanisms of the system Why did this special course code? Allow our attack to work. So that's what we look at looking at okay, we submitted a course code and The way that application works is whatever is in the course field Whether it's a course code or as I'm long-streamed like we've used is replaced in the SQL query. So let's do that replacement and We have this COIT 20262 or one equals one And we just make some movies across so we can see all of it on the screen So now let's look closer at this SQL query We're a select everything from course grades where some conditions and though the way that we constructed that form field we now have three conditions and So student ID and course code or one equals one Now think of that from a logic perspective we The ants go together so we can think we have a Brackets around there. So the condition is student ID equals s zeros and Course code equals COIT 20262 or one equals one Now Because it's all one equals one. It doesn't matter what the first and Returns Which will return the fields for one. When does one equal one one equals one always. So in fact that always returns true so logically what we have is some condition or true and Some condition or true always returns true meaning Effectively this will return all rows in the course grades table We've created a query such that it's Returning all rows from the table and that's what we get in the result there are About ten ten rows in the table and they are all returned allowing the attacker to see this Data when they shouldn't be able to do so this structure of this form field is Specifically designed to take advantage of the floor in the system I'll leave it to you to to look out how to design the system to improve upon it and to Avoid such SQL ejection attacks