Sql Injection Essay

5051 Words21 Pages
A customer asked that we check out his intranet site, which was used by the company's employees and customers. This was part of a larger security review, and though we'd not actually used SQL injection to penetrate a network before, we were pretty familiar with the general concepts. We were completely successful in this engagement, and wanted to recount the steps taken as an illustration. Table of Contents * The Target Intranet * Schema field mapping * Finding the table name * Finding some users * Brute-force password guessing * The database isn't readonly * Adding a new member * Mail me a password * Other approaches * Mitigations * Other resources "SQL Injection" is subset of the an unverified/unsanitized user input vulnerability ("buffer overflows" are a different subset), and the idea is to convince the application to run SQL code that was not intended. If the application is creating SQL strings naively on the fly and then running them, it's straightforward to create some real surprises. We'll note that this was a somewhat winding road with more than one wrong turn, and others with more experience will certainly have different -- and better -- approaches. But the fact that we were successful does suggest that we were not entirely misguided. There have been other papers on SQL injection, including some that are much more detailed, but this one shows the rationale ofdiscovery as much as the process of exploitation. The Target Intranet This appeared to be an entirely custom application, and we had no prior knowledge of the application nor access to the source code: this was a "blind" attack. A bit of poking showed that this server ran Microsoft's IIS 6 along with ASP.NET, and this suggested that the database was Microsoft's SQL server: we believe that these techniques can apply to nearly any web application backed

More about Sql Injection Essay

Open Document