The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Now, consider what happens when a user searches for all books published

by O’Reilly. This causes the application to perform the following query:

SELECT author,title,year FROM books WHERE publisher = ‘O’Reilly’

In this case, the query interpreter reaches the string data in the same way as

before. It parses this data, which is encapsulated within single quotation

marks, and obtains the value 

O

. It then encounters the expression 

Reilly’

,

which is not valid SQL syntax and so generates an error:

Incorrect syntax near ‘Reilly’.

Server: Msg 105, Level 15, State 1, Line 1

Unclosed quotation mark before the character string ‘

When an application behaves in this way, it is wide open to SQL injection.

An attacker can supply input containing a quotation mark to terminate the

string that he controls, and can then write arbitrary SQL to modify the query

that the developer intended the application to execute. In this situation, for

example, the attacker can modify the query to return every single book in the

retailer’s catalog, by entering the search term:

Wiley’ OR 1=1--

This causes the application to perform the following query:

SELECT author,title,year FROM books WHERE publisher = ‘Wiley’ OR 1=1--‘

This modifies the 

WHERE

clause of the developer’s query to add a second con-

dition. The database will check every row within the books table and extract

each record where the 

publisher

column has the value 

Wiley

or where 1 is

equal to 1. Because 1 is always equal to 1, the database will return every record

within the books table.

Download 5,76 Mb.

Do'stlaringiz bilan baham: