Saturday, May 11, 2013

0 The Purpose of SQL Injection


Please Leave A Comment~ Thank You...!!!

SQL injection attacks are used by hackers to achieve certain results. Some SQL exploits will produce valuable user data stored in the database, and some are just precursors to other attacks.

 The following are the most common purposes of a SQL injection attack:

Identifying SQL Injection Vulnerability. The purpose is to probe a web application to discover which parameters and user input fields are vulnerable to SQL injection.

Performing Database Finger-Printing. The purpose is to discover the type and version of database that a web application is using and “fingerprint” the database. Knowing the type and version of the database used by a web application allows an attacker to craft databasespecific attacks.

Determining Database Schema To correctly extract data from a database, the attacker often needs to know database schema information, such as table names, column names, and column data types. This information can be used in a follow-on attack.

Extracting Data. These types of attacks employ techniques that will extract data values from the database. Depending on the type of web application, this information could be sensitive and highly desirable to the attacker.

Adding or Modifying Data. The purpose is to add or change information in a database.

Performing Denial of Service. These attacks are performed to shut down access to a web application, thus denying service to other users. Attacks involving locking or dropping database tables also fall under this category.

Evading Detection. This category refers to certain attack techniques that are employed to avoid auditing and detection.

Bypassing Authentication. The purpose is to allow the attacker to bypass database and application authentication mechanisms. Bypassing such mechanisms could allow the attacker to assume the rights and privileges associated with another application user.


Executing Remote Commands. These types of attacks attempt to execute arbitrary commands on the database. These commands can be stored procedures or functions available to database users.

Performing Privilege Escalation. These attacks take advantage of implementation errors or logical flaws in the database in order to escalate the privileges of the attacker.


0 comments:

Post a Comment

Thank You For Comment...