OWASP Security Shepherd – SQL Injection Solution – LSB

SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.

 

REGISTER TODAY FOR YOUR KUBERNETES FOR DEVELOPERS (LFD259) COURSE AND CKAD CERTIFICATION TODAY! $499!

sql1

With that in mind, let’s tackle this Security Shepherd injection module. We are presented with a brief lesson telling us what SQL Injection is and to get the key we have to fool the database into giving us some information that it would not normally divulge. So we need to craft an SQL query that would give us the information we want.

sql2

We are given a list of names and if we type a name in the text field and hit enter, the database spits out some information on that person. So we need to find someones name that’s hidden to us that spits out the key to pass the module.

Our SQL query will be entered into the text field above. We noticed immediately that anything that we typed, the server would add a ‘; at the end of the query. So if we have another ‘ in our injection, that would cancel the one thatthe server adds. Then if we say something like ‘and 1=1’ and end the query, the database would send us back a Boolean YES, or a positive.

$299 WILL ENROLL YOU IN OUR SELF PACED COURSE – LFS205 – ADMINISTERING LINUX ON AZURE!

We need to craft an SQL query that would list all rows and columns in the database. This proved to be tough and we tried many different queries but the one that worked for us was the query below.

sql3

That’s how SQL Injection works. We fooled the SQL database into giving us some information that was hidden from us. A nice module and it took a while to crack, but we got there.

Thanks for reading and if you like what you’ve read, please add a comment. Like and share too guys, it’s appreciated.

QuBits 2018-09-15

BUNDLE CLOUD FOUNDRY FOR DEVELOPERS COURSE(LFD232) AND THE CFCD CERTIFICATION FOR $499!

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.