Ethical Hacking and Penetration Testing Guide



Yüklə 22,44 Mb.
Pdf görüntüsü
səhifə205/235
tarix07.08.2023
ölçüsü22,44 Mb.
#138846
1   ...   201   202   203   204   205   206   207   208   ...   235
Ethical Hacking and Penetration Testing Guide ( PDFDrive )

Detecting SQL Injection
To identify an SQL injection, we would need to test every user input to see if it’s been filtered out 
right or not. Input parameters such as “GET, POST” are the ones commonly vulnerable to this 
attack. However, “cookie” values and “http headers” can also be used to conduct SQL injection 
attacks, where any one of the http headers or cookie values would be inserted in the database and 
would be displayed at some point of time. If they are not filtering it out correctly, it could result 
in an SQL injection.
To test this, you could insert one of following inputs and hope to break the existing query:
 
Single quote (‘), double quotes (“), or backtick/accent grave (`)
In most cases, the single quote would work; however, it doesn’t hurt to test the others. In the 
case you are entering a single quote, if an error is displayed, there is a good chance that it’s vulnera-
ble to an SQL injection. Next, enter another single quote; if no error is displayed, it’s most probably 
vulnerable to an SQL injection. Similarly, probe the user inputs with double quotes and backtick.
Note
: This is the case when the application is returning an error. If it doesn’t, it doesn’t always 
mean that the application is not vulnerable to SQL injection. We will look into this in detail when 
we discuss blind sql injection attacks.
Determining the Injection Type
The first step after you have identified an SQL injection attack is to figure out whether your injec-
tion type is “integer” or “string.” This is very important since the rest of your queries would depend 
upon it.


344
◾ 
Ethical Hacking and Penetration Testing Guide
When dealing with integer-based SQL injection, you don’t need the single quote to be associ-
ated with the rest of the query.
In the following query, the value of user_id is set to an integer, so we don’t have to use single 
quote every time we inject our SQL statements.
SELECT * FROM users WHERE user_id=1 [SQL Statement]
In the case of a string-based sql injection, you would need to append the ‘every time you inject 
an SQL statement and append --+ (+ denotes a single space character in the URL-encoded form
so DB renders it as “--“ (without quotes) at the end of your query. Take an example of the following 
statement, where the value of user_id is a string. The injection would look like
SELECT * FROM users WHERE user_id='1' ' [SQL Statement] --+

Yüklə 22,44 Mb.

Dostları ilə paylaş:
1   ...   201   202   203   204   205   206   207   208   ...   235




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©azkurs.org 2024
rəhbərliyinə müraciət

gir | qeydiyyatdan keç
    Ana səhifə


yükləyin