A3:2021 | SQL Injection Intro (13) | Cycubix Docs
After compromising confidentiality and integrity in the previous lessons, we now are going to compromise the third element of the CIA triad availability. Read more
Last updated
After compromising confidentiality and integrity in the previous lessons, we now are going to compromise the third element of the CIA triad availability. Read more
Last updated
After successfully compromising confidentiality and integrity in the previous lessons, we now are going to compromise the third element of the CIA triad: availability.
The are many different ways to violate availability. If an account is deleted or the password gets changed, the actual owner cannot access it anymore. Attackers could also try to delete parts of the database making it useless or even dropping the whole database. Another way to compromise availability would be to per example revoke access-rights from admins or any other users, so that nobody gets access to (specific parts of) the database.
Now you are the top earner in your company. But do you see that? There seems to be a access_log table, where all your actions have been logged to!
Better go and delete it completely before anyone notices.
Given that actions log table cointains the history of all statements ran by all users we can use the command DROP with DDL.
Given the Hint "The underlying SQL query looks like that: "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'", we can know the structure of the statement in the server.
The Like operator supports two main wildcard characters for pattern matching:
Percent Sign (%
): Represents zero, one, or multiple characters.
Underscore (_
): Represents a single character.
Answer: %'; DROP TABLE access_log;--