![]() ![]() However, in MySQL a double-dash comment " requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on)." This double-dash comment syntax deviation is intended to prevent complications that might arise from the subtraction of negative numbers within SQL queries. The double-dash comment syntax was first supported in MySQL 3.23.3. Maybe not.īoth attackers and penetration testers alike often forget that MySQL comments deviate from the standard ANSI SQL specification. For example, another database table might store customer billing information including credit card numbers. Attackers can utilize the "UNION" operator in order to further modify the structure of the query to compromise information from other database tables. The double-dash sequence specifies a SQL comment, causing the database to ignore the remainder of the query. Because one always equal one, all rows are matched and returned to the attacker. This SQL query will match all table rows where either the artist name matches the empty string or one equals one. SELECT * FROM musicCatalog WHERE artist = '' OR 1=1-' ![]() However, attackers can utilize the classic SQL injection exploit string in order to maliciously modify the structure of the SQL query: SELECT * FROM musicCatalog WHERE artist = 'Arctic Monkeys' ![]() A typical search would result in a SQL query that looks something like this (user input is displayed in red): This query will match all database table rows where the artist name matches the unvalidated "artist" parameter supplied by the user. Query = "SELECT * FROM musicCatalog WHERE artist = '" + artist + "'" String artist = request.getParameter("artist") The code constructs a dynamic SQL query including unvalidated user input: For example, consider the following Java code snippet that executes a SQL query against a backend MySQL database in order to search for albums by a specified artist. This exploit string is utilized by attackers to modify the structure of a dynamic SQL query executed by the target web application. If you're familiar with web application penetration testing and SQL injection then the classic SQL injection exploit string should ring a bell: ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |