Question

Activity 2: Injection Basics Injection attacks trick an application into including unintended commands in the data send to an interpreter.

Interpreters Interpret strings as commands such as SQL, shell (cmd.exe, bash)

Critical Thinking Questions: 1. What does a user/attacker see at the webpage? Where can an attacker enter exploit data/input? 2. Which entity builds user string input and send SQL query to Database server? 3. Which entity executes query including exploit and send back to web server and then user?  

Answer 1

1) The SQL shell command is used along the executable file bash, bash is another script file which is used in SQL database server to modify and access information.

As we all know cmd. exe is used to execute the command which is the bash file capable of changing data on servers and acccessing it.

Shell command is used to perform data queries and updates as well as various administration operations.

Therefore the user and attacker see on webpage what the attacker want to show or see on the webpage.

The answer to where can the attacker enter exploit data or input is the attacker must first find vulnerable user inputs within the web page or web application.

A web page or web application that has an SQL Injection vulnerability uses such user input directly in an SQL query.

2) The Interpreter is the entity which build the user string input(malicious payload) and send SQL query to server.

The attacker can create input content. Such content is often called a malicious payload and is the key part of the attack. After the attacker sends this content, malicious SQL commands are executed in the database

3) SQL database is the entity which executes the query language and send the results back to the server and user.

An SQL Injection vulnerability may affect any website or web application that uses an SQL database such as MySQL, Oracle, SQL Server, or others.

SQL is a query language that was designed to manage data stored in relational databases. You can use it to access, modify, and delete data.

Many web applications and websites store all the data in SQL databases. In some cases, you can also use SQL commands to run operating system commands.