background image

254

Chapter 17

single quote) into the username field and a single quote in the password 
field. Prior to submitting the form, our username and password fields should 
look like those in Figure 17-2.

Figure 17-2: Attempting to leverage SQL injection

Take a moment to consider what is occurring on the backend when the 

server receives this input. Here we simply tried to start a new SQL statement 
and appended some bogus data to it. You probably won’t find many web 
applications in the wild that are as easy to attack as this one, but this makes 
for a good example—and it was not too long ago that these sorts of errors 
were in fact being discovered all the time. When we click the Submit button, 
we get the error message shown in Figure 17-3.

This error message indicates that a SQL injection flaw is present based 

on the SQL exception and the “Incorrect syntax near” message shows that 
the 

'TEST

 input caused it. With a quick Google search, we can determine 

that the backend database is Microsoft SQL, purely based on the error mes-
sages that were presented.

We won’t go into how to perform SQL injection on web applications here, 

but you can easily manipulate the input parameters to attack a given system 
and completely compromise it. (This was covered briefly in Chapter 11.) Notice 
that we still haven’t actually attacked a system yet; we’ve simply tried to identify a 
viable attack vector in the system. Now that we know we can potentially com-
promise this system, it’s time to move on to the exploitation phase.