Compromising Availability

After successfully compromising confidentiality and integrity in the previous lessons, we now are going to compromise the third element of the CIA triad: availability.

The are many different ways to violate availability. If an account is deleted or the password gets changed, the actual owner cannot access it anymore. Attackers could also try to delete parts of the database making it useless or even dropping the whole database. Another way to compromise availability would be to per example revoke access-rights from admins or any other users, so that nobody gets access to (specific parts of) the database.

It is your turn!

Now you are the top earner in your company. But do you see that? There seems to be a access_log table, where all your actions have been logged to! Better go and delete it completely before anyone notices.

Solution

💡 Use the techniques that you have learned before. 💡 The application takes your input and filters for entries that are LIKE it. 💡 Try query chaining to reach the goal. 💡 The DDL allows you to delete (DROP) database tables. 💡 The underlying SQL query looks like that: "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'". 💡 Remember that you can use the -- metacharacter to comment out the rest of the line.

Action contains: %'; DROP TABLE access_log;--