Professional Documents
Culture Documents
Implementing SQL Injection Attack: - By: Saravpreet
Implementing SQL Injection Attack: - By: Saravpreet
By: Saravpreet
Injection through user input Injection through cookies Injection through server variables Second-order injection
First-order injection
The application processes the input, causing the attackers injected SQL query to execute.
The application stores that input for future use (usually in the database), and responds to the request. The attacker submits a second (different) request. To handle the second request, the application retrieves the stored input and processes it, causing the attackers injected SQL query to execute.
First-order injection
Second-order injection
7
Example
Identifying injectable parameters Performing database finger-printing Determining database schema Extracting data Adding or modifying data
Performing denial of service Evading detection Bypassing authentication Executing remote commands Performing privilege escalation
10
Performing denial of service Evading detection Bypassing authentication Executing remote commands Performing privilege escalation
11