Skip to main content

Posts

Showing posts from January, 2020

SQL Injection Part -2

Data Extraction Example     Now that we have started our journey to SQL Injection, let’s see an example of data extraction. To extract useful data from the database, normally we need to know the names of the tables and columns containing the data we want to access. The main enterprise DBMSs contain a rich amount of database metadata that we can query to discover the names of every table and column within the database. The methodology for extracting useful data is the same in each case; however, the details differ on different database platforms.[1] Our example attack will be performed against an MS-SQL database, but we will use a methodology that will work on all database technologies. Consider an address book application that allows users to maintain a list of contacts and query and update their details. When a user searches his address book for a contact, his browser posts the following parameter:       Name=Thomas  and the application returns the fo...
Read more

SQL Injection Part -1

   Introduction to SQL and Data Stores      In the pre-course material, hosted in the course’s webpage, we got introduced to the SQL language and data stores. The scope of this course is not to learn SQL or data stores but we are going to examine some more information about data store hacking that we will find useful in the rest of the course.    Currently, nearly all applications rely on a data store to manage data that is processed within the application. In many cases, this data drives the core application logic, holding user accounts, permissions, application configuration settings, and more. Data stores have evolved to become significantly more than passive containers for data. Most hold data in a structured format, accessed using a predefined query format or language, and contain internal logic to help manage that data.       Typically, applications use a common privilege level for all types of access to the data store and, when p...
Read more