Wiki

User Tools

Site Tools

Trace:
sql_injection:example_attacks

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
sql_injection:example_attacks [2016/10/13 12:30] petersql_injection:example_attacks [2020/04/16 20:52] (current) – removed peter
Line 1: Line 1:
-====== SQL Injection - Example attacks ====== 
- 
-[[SQL Injection - Example attacks:Basic SQL Injection attack|Basic SQL Injection attack]] 
- 
-[[SQL Injection - Example attacks:Basic SQL Injection attack with defence|Basic SQL Injection attack with defence]] 
- 
-[[SQL Injection - Example attacks:SQL Injection attack against PHP addslashes|SQL Injection attack against PHP addslashes]] 
- 
-[[SQL Injection - Example attacks:SQL injection that gets around mysql_real_escape_string()|SQL injection that gets around mysql_real_escape_string()]] 
- 
- 
-===== Example attacks ===== 
- 
-**Scenario #1**: The application uses untrusted data in the construction of the following vulnerable SQL call: 
- 
-<code java> 
-String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'"; 
-</code> 
- 
-**Scenario #2**: Similarly, an application’s blind trust in frameworks may result in queries that are still vulnerable, (e.g., Hibernate Query Language (HQL)): 
- 
-<code sql> 
-Query HQLQuery = session.createQuery(“FROM accounts WHERE custID='“ + request.getParameter("id") + "'"); 
-</code> 
- 
-In both cases, the attacker modifies the ‘id’ parameter value in her browser to send: ' or '1'='1.   
- 
-For example:  http://example.com/app/accountView?id=' or '1'='1 
- 
-This changes the meaning of both queries to return all the records from the accounts table.   More dangerous attacks could modify data or even invoke stored procedures. 
- 
- 
-===== Other attacks ===== 
- 
-Passing the following in as input. 
- 
-<code php> 
- -1 union all select table_name from information_schema.tables 
-</code> 
- 
-and now just extract table structure: 
- 
-<code sql> 
-SELECT ... WHERE id = -1 union all select column_name from information_schema.column where table_name = 0x61727469636c65 
-</code> 
- 
- 
-===== References ===== 
- 
-  * http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string 
- 
-  * http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html 
- 
  
sql_injection/example_attacks.1476361801.txt.gz · Last modified: 2020/07/15 09:30 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki