Injection Vulnerabilities
An Introduction |
Prof. David Bernstein
|
Computer Science Department |
bernstdh@jmu.edu |
"SELECT Name FROM Student WHERE Year = '" + data + "'"
"'; DROP TABLE Assistants; --'"
(where --
starts a comment)"'; UDPATE TABLE Assistants SET Performance='Poor' WHERE Name='Jones'; --'"
"'; SELECT * FROM Table Grades; --'"
' OR 1=1 --
SELECT Table_Name FROM INFORMATION_SCHEMA.Tables
or SELECT TABLE_NAME FROM USER_TABLES
)true
(e.g., '' OR '1' = '1'
)false
(e.g., '' OR '1' = '2'
)mysql_real_escape_string()
in PHP)char()
function)
ldapSearchQuery = "(cn=" + $eID + ")";
)
from user input (e.g., leading to injections like
"*"
or
"bernstdh)(|(password=*))"
)
bool mail ($to , $subject , $message [, $headers [, $parameters ]])
execlp()
, execvp()
,
popen()
, system()
ShellExecute()
,
_wsystem()
Class.forName()
,
Class.newInstance()
,
Runtime.exec()
eval()
`
, |
, eval
,
Exec
, System
eval()
eval
, exec
,
execfile
, os.open
,
os.system
Kernal.eval()
, Kernel.exec()
,
Kernel.fork()
eval()
function
and then used to populate a documentapplication/json
)eval()
xp_cmdshell
which executes commands
in the command shell