String SQL Injection (11) | Confidentiality | Cycubix Docs

If a system is vulnerable to SQL injections, aspects of that system’s CIA triad can be easily compromised. Learn how to compromise CIA with SQL string injections

Compromising confidentiality with String SQL injection

If a system is vulnerable to SQL injections, aspects of that system’s CIA triad can be easily compromised (if you are unfamiliar with the CIA triad, check out the CIA triad lesson in the general category). In the following three lessons you will learn how to compromise each aspect of the CIA triad using techniques like SQL string injections or query chaining.

In this lesson we will look at confidentiality. Confidentiality can be easily compromised by an attacker using SQL injection to read sensitive data like credit card numbers from a database.

What is String SQL injection?

If queries are built dynamically in the application by concatenating strings to it, this makes it very susceptible to String SQL injection. If the input takes a string that gets inserted into a query as a string parameter, then you can easily manipulate the build query using quotation marks to form the string to your specific needs. For example, you could end the string parameter with quotation marks and input your own SQL after that.

It is your turn!

You are an employee named John Smith working for a big company. The company has an internal system that allows all employees to see their own internal data - like the department they work in and their salary.

The system requires the employees to use a unique authentication TAN to view their data. Your current TAN is 3SL99A.

Since you always have the urge to be the most earning employee, you want to exploit the system and instead of viewing your own internal data, _ you want to take a look at the data of all your colleagues_ to check their current salaries.

Use the form below and try to retrieve all employee data from the employees table. You should not need to know any specific names or TANs to get the information you need. You already found out that the query performing your request looks like this:

"SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "';

Solution

The application is taking your input and inserting the values into the variables 'name' and 'auth_tan' of the pre-formed SQL command. Compound SQL statements can be made by expanding the WHERE clause of the statement with keywords like AND and OR. Try appending a SQL statement that always resolves to true. Make sure all quotes (" ' ") are opened and closed properly so the resulting SQL query is syntactically correct. Try extending the WHERE clause of the statement by adding something like: ' OR '1' = '1.

Employee Name: A
Authentication TAN: ' OR '1' = '1

Further training

Visit Cycubix.com to find out more about our Application Security training courses. We also offer (ISC)² Official training for CISSP, SSCP, CCSP and CSSLP certifications.

PreviousSQL Injection Intro (10) | Numeric SQL Injection | Cycubix Docs NextString SQL Injection (12) | Integrity | Cycubix Docs

Last updated 3 years ago