SQL Injection Attacks by Example

Martin Brinkmann
Jun 6, 2006
Updated • May 6, 2013
Security
|
0

SQL injections are an attack form on the Internet that make use of security vulnerabilities in the database layer of an application. Its source is the incorrect escaping of dynamically-generated string literals embedded in SQL statements. It is in fact an instance of a more general class of vulnerabilities that can occur whenever a programming or scripting language is embedded inside another.

So, it basically may give you options to manipulate the database of the service or retrieve information from it, something which no one without proper authorization should be able to do. It is therefore or utmost importance that web developers protect their applications against this attack from by making sure that everything is properly escaped.

SQL Injection Attacks by Example gives you a detailed view how experts used the technique to break into systems of companies that hired them to perform security tests on company networks or properties.

There have been other papers on SQL injection, including some that are much more detailed, but this one shows the rationale of discovery as much as the process of exploitation.

The example addresses provides you with the following information and examples.

  • The Target Intranet
  • Schema field mapping
  • Finding the table name
  • Finding some users
  • Brute-force password guessing
  • The database isn't read-only
  • Adding a new member
  • Mail me a password
  • Other approaches
  • Mitigation
  • Resources

A customer asked that we check out his intranet site, which was used by the company's employees and customers. This was part of a larger security review, and though we'd not actually used SQL injection to penetrate a network before, we were pretty familiar with the general concepts. We were completely successful in this engagement, and wanted to recount the steps taken as an illustration.

This step by step guide can be useful in getting a basic understanding on how security experts analyze a network, website or computer system. In this instance, it details how a security company successfully managed to gain access using SQL injections. The chapter about mitigating the attack can be especially helpful to system and web administrators to learn about ways to protect their properties against the attack form.

Advertisement

Related content

Intel

Microsoft publishes new Registry security mitigation for Intel processors (Spectre)

KeePassXC adds support for Passkeys, improves database import from Bitwarden and 1Password
Malwarebytes 5

First look at Malwarebytes 5.0
RustDoor malware targets macOS users by posing as a Visual Studio Update

RustDoor malware targets macOS users by posing as a Visual Studio Update
keys

KeePass 2.56 released: options search and history improvements
70 million account credentials were leaked in a massive password dump

70 million account credentials were leaked in a massive password dump

Previous Post: «
Next Post: «

Comments

There are no comments on this post yet, be the first one to share your thoughts!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.

Advertisement

Spread the Word

Advertisement

Hot Discussions

Advertisement

Recently Updated

Latest from Softonic

Advertisement

About gHacks

Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.

The name and logo of Ghacks are copyrights or trademarks of SOFTONIC INTERNATIONAL S.A.
Copyright SOFTONIC INTERNATIONAL S.A. © 2005- 2024 - All rights reserved