Ethical Hacking Lab 1

SQL Injection: The Digital Pickpocket

SQL injection might sound like ancient history to some security professionals, but it remains one of the most lucrative attack vectors in 2025. The real lesson isn’t that SQL is flawed - it’s that any form input can be a gateway to your kingdom if not properly sanitized.

As a developer, this lab was a sobering reminder that I need to use ORMs religiously and keep my servers patched like a politician keeps their scandals hidden. The financial implications of these vulnerabilities make them irresistible to attackers - one injection can be worth thousands in ransom or millions in stolen data.

Database Reconnaissance

Examining the lab environment revealed quite a treasure trove:

• Network Structure: Two isolated networks - a classic setup that creates a false sense of security.

• MySQL Configuration (/root/image_mysql):

  • MySQL v8 running on Debian
  • Root password exposed in plaintext (amateur hour!)
  • Automatic database initialization through .sql files in initdb.d
  • Complete backend architecture with function definitions
  • Hashed passwords ripe for cracking with hashcat

• Web Application (/root/image_www):

  • Vulnerable Apache-PHP stack
  • Standard virtual host configuration
  • Raw SQL queries throughout the codebase - a security auditor’s nightmare
  • Defensive measures that might as well be made of Swiss cheese

Account Takeover: The Admin Heist

Breaking into Admin’s account was embarrassingly simple:

Username: Admin' #
Password: [anything]

This classic injection technique comments out the password check entirely - like telling the security guard “don’t bother checking my ID” and somehow succeeding.

For a more sophisticated approach, I deployed SQLMap:

sqlmap -u "http://{${DOCKER.IP}}/" --forms --batch
sqlmap -u "http://{${DOCKER.IP}}/" --forms --batch --dbs # returns sqllabs_users
sqlmap -u "http://{${DOCKER.IP}}/" --forms --batch -D sqllabs_users --tables # reveals credentials table

Just like that, the keys to the kingdom were mine. In the corporate world, this would mean complete access to financial systems, employee data, and intellectual property.

Salary Adjustment: Economic Warfare

As Alice (password: ‘password’), modifying my own salary was child’s play. The application’s unsafe_edit_backend.php was practically begging to be exploited.

By manipulating the address bar with:

', salary='99999

I gave myself a substantial raise that would make any Wall Street executive jealous. This type of vulnerability is how embezzlement schemes operate - small changes that fly under the radar but accumulate massive financial damage.

Password Hijacking: The Ultimate Privilege Escalation

Changing the administrator’s password to ‘mypassword123!’ was the final nail in the security coffin. Once accomplished, I could log in through the front door without any tricks - complete and legitimate access.

This kind of attack is particularly dangerous because it’s persistent and can survive server restarts or security sweeps that might catch other forms of access.

Technical Analysis and Results

Additional findings from the SQLMap reconnaissance:

• Multiple vulnerable entry points throughout the application
• Complete database structure exposed
• Samy’s hashed password retrieved and cracked
• Database running under privileged user context
• MySQL version details exposed (exact version redacted for security)

The full technical results are available in lab1.tar.gz