UT Martin Cyber Ambassadors

User Tools

Site Tools

Trace:
sql_injection

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
sql_injection [2019/10/01 11:23]
acm 		sql_injection [2019/10/05 18:51] (current)
acm
Line 11: Line 11:
 SELECT password FROM users WHERE username='bob'; SELECT password FROM users WHERE username='bob';
 </code> </code>
-Now let's say I'm a hacker who wants to get the passwords of all the users in the system, but I'm not quite sure what their usernames are.+Now let's say I'm a hacker who wants to get the passwords of all the users in the system, but I'm not quite sure what their usernames are. As a hacker I could type in something like:
 <code> <code>
-OR '1'\'1'+//Ignore the '/' as the wiki doesn't like when its not there 
 +OR '1'/'1'
 </code> </code>
 +changing the query that retrieves the password to:
 +<code>
 +SELECT password FROM users WHERE username='' OR '1' = /'1';
 +</code>
 +Since 1 = 1 is always true, and any OR statement with a clause that is always true will also always be true, this statement will return every password in the database.
 +=== Batched SQL Statements === 
 +Another more powerful form of SQL Injection is using Batched SQL Statements. This allows us to write full SQL statements that are then executed by the server, rather than being limited to just modifying an existing statement. This works by closing out all open and expected inputs in the existing statement, ending it with a ';', and then providing a new statement of the attacker's own design. Randall Munroe, the creator of XKCD, provides an excellent example in the comic below.
 +{{ :exploits_of_a_mom.png }}
 +The SQL statement on the school's program probably looks something like the following:
 +<code>
 +“INSERT INTO Students VALUES (‘“ + firstName “‘,’”  +  lastName + “‘);”
 +</code>
 +Thanks to the specific nature of little Bobby's name, the statement that the server runs is:
 +<code>
 +INSERT INTO Students VALUES(‘Robert’); DROP TABLE STUDENTS; 
 +</code>
 +This causes the software to delete the entire student table after inserting Robert into the table. This works as putting a semicolon into a SQL statement allows us to execute more than one statement per line.
 +
 +=== References ===
 +https://www.w3schools.com/sql/sql_injection.asp \\
 +https://appdividend.com/2019/07/18/sql-injection-example-what-is-sql-injection/ \\
 +https://www.xkcd.com/327/ \\
 +https://www.owasp.org/index.php/Blind_SQL_Injection \\
 +
sql_injection.1569947032.txt.gz · Last modified: 2019/10/01 11:23 by acm

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
CC Attribution-Noncommercial-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki