Fundamental exploitation

OK, imagine this initial example. You are a bad student looking to pass your final exams without studying and your best option is finding an SQL injection into the exam system to change your answers.

The most basic feature in any system is consulting information stored in the database, with statements like the following:

    SELECT student_name, average FROM students WHERE kardex= '2004620080';

The preceding line means—give me the student's name and notes, stored in the table called students for the student who has the kardex number 2004620080. As you can see, it is a simple statement but is so useful to know the information about each student.

As you can see, the statement manages the kardex number as a string, not as a number; so what happens if we insert some special characters, such as a simple quote:

    SELECT student_name, average FROM students WHERE kardex='''

It is not possible for the database server to take the simple quote as a valid value; it will show an error. The error will vary, depending on the database management system we are using, but in general, it will be something similar to this:

    Incorrect syntax near '.
    Unclosed quotation mark before the character string '

This message means that the statement has not been completed correctly due to the single quote. When the single quote is inserted, we close the statement, but there is another single quote which is free. This is the original single quote that the programmer used for the statement.

For us, this error means that there is something wrong in the statement, and the application is not validating the input in the correct way. But now, we want to do something useful with this finding. We are going to insert the string '1 or 1==1-- into the kardex value:

   SELECT student_name, average FROM students WHERE kardex='1 or 1==1--

The string '1 or 1==1-- is evaluated by the database server as a TRUE value, because it is an evaluation. So, at the moment we insert the string into the statement, the value obtained by the WHERE instruction is TRUE. Hence, for all cases stored in the database, the evaluation will be true. What is the result? The database server will respond with all the registers stored in the table students.

This example is basically how SQL injection is exploited. But wait, things aren't as easy as this; we need to examine different cases.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.221.172.50