// SQL Injection 102
//
// http://www.sturmnacht.de.vu
// Michael K. (m1o1d1)
// 08.04.2004
Introduction
------------
This is the second installement of the SQL Injection tutorial. In order
for you to comprehend everything that is going on here, you will need to
have either read the first part, or have some previous SQL knowledge.
This part won't be a long one, since i will only discuss small but interesting
topics.
UNION
-----
In SQL there is a command Called "UNION" (which is similar to JOIN) which allows
a person to run an SQL statment on 2 Tables at once. For example:
SELECT Names FROM Mars_Inhabitants
UNION ALL
SELECT Names FROM Earth_Inhabitants
Would list all names from the inhabitants of Earth AND Mars.
Now, this is where the vurnarability comes in. Some Web-Sites have the
downside of being badly organized. On some Web-sites there is only 1 DB
that will have ALL tables in them, including the ones that have sensetive
information in them (i.e. Email Addresses, etc.).
As a case scenario, lets say the web-site has a query like this:
"SELECT News FROM NewsTable WHERE Date='$Date'"
The obvious SQL injection we would use here is:
"Saturday' UNION ALL SELECT email FROM UserAccounts Where ''='"
And this would result in a total query of:
"SELECT News FROM NewsTable WHERE Date='Saturday' UNION ALL SELECT email FROM UserAccounts Where ''=''"
If the script then processes this SQL statement, it would print out tons of
email addresses in addition to the news of saturday.
So again, i advise you to be more careful with your SQL statements and
do ALOT of input validation before sending SQL querys.
Regards, Michael.
(
geocities.com/xsturmnachtx)