Web application security - the fast guide 1.1 | Page 123
Chapter 6 - Attack execution (2)
P a g e | 123
SQL can be simply exploited through injecting special words and structures to
compromise user accounts and personal information, fake orders and payment
details. the following examples are instances that explain different context that
attacker can use to execute SQL injection
Attack requirement:
No sanitization functionality to neutralize special words or characters matching
an instruction in the SQL grammar.
To check the possibility of SQL injection attack you can do the following tests:
Try to input a single quotation and monitor change in behavior
Try two quotes and monitor change in behavior.
Try to use concatenation on input fieds ‘||’ FOO (in oracle) or ‘+’Foo (in
ms sql) or ‘ ‘Foo (in mysql) if no difference is detected then the
application is vulnerable
6.9.1 Attack Select statement
Listing
SELECT author, title, year FROM books WHERE publisher = ‘pearson’ and
published=1
Attack
Using the value (pearson’ OR ‘a’=’a) will make the query show all book
information for all publishers.
SELECT author, title, year FROM books WHERE publisher = ‘pearson’ OR
‘a’=’a’ and published=1
6.9.2 Attack insert
In this example an insert statement dedicated to create a new account can
be compromised to create an account with administrator privileges.
Listing
INSERT INTO users (username, password, ID, privs) VALUES
(‘daf’,‘secret’, 2248, 1)
Attack
We can simply use the value foo’, ‘bar’, 9999, 0)-- to enable this hack
Select * from users where username = ‘admin’- -‘ and password =
‘anyPass’
6.9.3 Attack update statement
This example will use injection in the update statement related to
password changing functionality to change the administrator password.
Listing