Web application security - the fast guide 1.1 | Page 123

Chapter 6 - Attack execution (2) P a g e | 123 SQL can be simply exploited through injecting special words and structures to compromise user accounts and personal information, fake orders and payment details. the following examples are instances that explain different context that attacker can use to execute SQL injection Attack requirement: No sanitization functionality to neutralize special words or characters matching an instruction in the SQL grammar. To check the possibility of SQL injection attack you can do the following tests:  Try to input a single quotation and monitor change in behavior  Try two quotes and monitor change in behavior.  Try to use concatenation on input fieds ‘||’ FOO (in oracle) or ‘+’Foo (in ms sql) or ‘ ‘Foo (in mysql) if no difference is detected then the application is vulnerable 6.9.1 Attack Select statement Listing SELECT author, title, year FROM books WHERE publisher = ‘pearson’ and published=1 Attack Using the value (pearson’ OR ‘a’=’a) will make the query show all book information for all publishers. SELECT author, title, year FROM books WHERE publisher = ‘pearson’ OR ‘a’=’a’ and published=1 6.9.2 Attack insert In this example an insert statement dedicated to create a new account can be compromised to create an account with administrator privileges. Listing INSERT INTO users (username, password, ID, privs) VALUES (‘daf’,‘secret’, 2248, 1) Attack We can simply use the value foo’, ‘bar’, 9999, 0)-- to enable this hack Select * from users where username = ‘admin’- -‘ and password = ‘anyPass’ 6.9.3 Attack update statement This example will use injection in the update statement related to password changing functionality to change the administrator password. Listing