SQL Injection Attacks by Example - gHacks Tech News

SQL Injection Attacks by Example

SQL injections are an attack form on the Internet that make use of security vulnerabilities in the database layer of an application. Its source is the incorrect escaping of dynamically-generated string literals embedded in SQL statements. It is in fact an instance of a more general class of vulnerabilities that can occur whenever a programming or scripting language is embedded inside another.

So, it basically may give you options to manipulate the database of the service or retrieve information from it, something which no one without proper authorization should be able to do. It is therefore or utmost importance that web developers protect their applications against this attack from by making sure that everything is properly escaped.

SQL Injection Attacks by Example gives you a detailed view how experts used the technique to break into systems of companies that hired them to perform security tests on company networks or properties.

There have been other papers on SQL injection, including some that are much more detailed, but this one shows the rationale of discovery as much as the process of exploitation.

The example addresses provides you with the following information and examples.

  • The Target Intranet
  • Schema field mapping
  • Finding the table name
  • Finding some users
  • Brute-force password guessing
  • The database isn't read-only
  • Adding a new member
  • Mail me a password
  • Other approaches
  • Mitigation
  • Resources

A customer asked that we check out his intranet site, which was used by the company's employees and customers. This was part of a larger security review, and though we'd not actually used SQL injection to penetrate a network before, we were pretty familiar with the general concepts. We were completely successful in this engagement, and wanted to recount the steps taken as an illustration.

This step by step guide can be useful in getting a basic understanding on how security experts analyze a network, website or computer system. In this instance, it details how a security company successfully managed to gain access using SQL injections. The chapter about mitigating the attack can be especially helpful to system and web administrators to learn about ways to protect their properties against the attack form.

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

There are no comments on this post yet, be the first one to share your thoughts!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.