The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

now results in the following query, which fails to bypass the login:

SELECT * FROM users WHERE username = ‘admin’‘--‘ and password = ‘’

However, if you submit the following username (containing 19 a’s and one

single quotation mark):

aaaaaaaaaaaaaaaaaaa’

then the application first doubles up the single quotation mark, and then trun-

cates the string to 20 characters, returning your input to its original value. This

results in a database error, because you have injected an additional single quo-

tation mark into the query without fixing up the surrounding syntax. If you

now also supply the password

[space]

or 1=1--

the application performs the following query, which succeeds in bypassing the

login:

SELECT * FROM users WHERE username = ‘aaaaaaaaaaaaaaaaaaa’‘ and password

= ‘ or 1=1--‘

The doubled-up quotation mark at the end of the string of a’s is interpreted

as an escaped quotation mark and, therefore, as part of the query data. This

string effectively continues as far as the next single quotation mark, which in

the original query marked the start of the user-supplied password value. The

actual username understood by the database will, thus, be the literal string

data shown here:  

aaaaaaaaaaaaaaaaaaa’ and password = 

Hence, whatever comes next will be interpreted as part of the query itself

and can be crafted to interfere with the query logic.

T I P

Download 5,76 Mb.

Do'stlaringiz bilan baham: