This is an example of SQL injection, step by step with the author's footsteps to explore how to inject success, showing a complete infiltration process, is worth reading. Translation level is limited, forgive me!
One client asked us to conduct penetration testing on the intranet that only their corporate employees and customers can use. This is part of the security assessment, so even though we have not used SQL injection to penetrate the network before, we are quite familiar with the concept. In the end, we have been successful in this task, and now we look at each step of the process and record it as a case.
"SQL Injection" is an attack method that leverages unfiltered/non-audited user input ("cache overflow" and this difference), meaning that the application should run SQL code that should not be running. If the app creates SQL strings and runs them without a precaution, it can cause some unexpected results.
We recorded the twists and turns we experienced after many wrong transitions, and a more experienced person would have this different--even better--method. But the fact that we succeeded only to understand that we were not completely misled.
Other SQL articles contain more detail, but this article not only shows the exploits, but also describes how the vulnerabilities were discovered.
Target Intranet
In front of us is a complete custom website, we have not seen this site before, and do not have the right to view its source code: This is a "black box" attack. The ' spying ' result shows that the server is running on Microsoft's IIS6 and is ASP. NET architecture. This implies that our database is Microsoft's SQL Server: We believe that our skills can be applied to any Web application, no matter what kind of SQL Server it is using.
The landing page has a traditional user-password form, but there is a link to "Mail me my password"; Later, this place proved to be the key to the collapse of the entire system.
When the e-mail address is typed, the system assumes that the message exists, queries the email address in the user's database, and then mails some content to the address. But my email address can't be found, so it won't send me anything.
For any SQL form, the first step is to enter the data with single quotes: To see if they are filtering the string that constructs the SQL. When a single quotation mark is submitted as an e-mail address, we get a 500 error (server error), which means that the "harmful" input is actually used directly in the SQL statement. That's it!
I guess the SQL code might be like this:
SELECTFieldList from Table WHEREfield =' $EMAIL ';
Examples of SQL injection attacks