Wiki

User Tools

Site Tools

Trace: numbers cut_and_paste
sql_injection:example_attacks

This is an old revision of the document!

Table of Contents

SQL Injection - Example attacks

Basic SQL Injection attack

Basic SQL Injection attack with defence

SQL Injection attack against PHP addslashes

Example attacks

Scenario #1: The application uses untrusted data in the construction of the following vulnerable SQL call: 

String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'";

Scenario #2: Similarly, an application’s blind trust in frameworks may result in queries that are still vulnerable, (e.g., Hibernate Query Language (HQL)): 

Query HQLQuery = SESSION.createQuery(FROM accounts WHERE custID='“ + request.getParameter("id") + "'");

In both cases, the attacker modifies the ‘id’ parameter value in her browser to send: ' or '1'='1.

For example: http://example.com/app/accountView?id=' or '1'='1

This changes the meaning of both queries to return all the records from the accounts table. More dangerous attacks could modify data or even invoke stored procedures.

Scenario #3: Code to do an insert into the database could also be vulnerable. 

$sql = "INSERT INTO Students (Name) VALUES ('" . $studentName . "');";
execute_sql($sql);

The first line creates a string containing an SQL INSERT statement. The content of the $studentName variable is glued into the SQL statement. The second line sends the resulting SQL statement to the database. The pitfall of this code is that outside data, in this case the content of $studentName, becomes part of the SQL statement.

First let's see what the SQL statement looks like if we insert a student named John: 

INSERT INTO Students (Name) VALUES ('John');

This does exactly what we want: it inserts John into the Students table.

Now we insert some injection code by setting $studentName to Robert'); DROP TABLE Students;--. The SQL statement becomes: 

INSERT INTO Students (Name) VALUES ('Robert'); DROP TABLE Students;--');

This inserts Robert into the Students table. However, the INSERT statement is now followed by a DROP TABLE statement which removes the entire Students table. Ouch!

Other attacks

Passing the following in as input. 

 -1 union all select table_name from information_schema.tables

and now just extract table structure: 

SELECT ... WHERE id = -1 UNION ALL SELECT column_name FROM information_schema.column WHERE TABLE_NAME = 0x61727469636c65

References

sql_injection/example_attacks.1476361231.txt.gz · Last modified: 2020/07/15 09:30 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki