Here is an example of SQL injection attack. It takes a set of fairly foolish mistakes--connecting as admin, not validating the textbox, concatenating the text box directly into the SQL string etc. The key is to meet any critera of the query with something like "or 1=1", then do your command and end with a "--" or "/*" which comments out the rest of the SQL code. Our example takes an update statement. It provides a value, provides a closing quote and then comments out the remainder of the SQL. The result is that every field in the table will have the same value for that field.
Here is the c# for the example
using System; using System.Collections.Generic; using System.Linq; using System.Web; using System.Web.UI; using System.Web.UI.WebControls; using System.Data; using System.Data.SqlClient; public partial class _Default : System.Web.UI.Page { protected void Page_Load(object sender, EventArgs e) { //or 1 =1; Drop table student /* } protected void Button1_Click(object sender, EventArgs e) { SqlConnection connect = new SqlConnection("Data Source=localhost;initial catalog=InjectionTest; Integrated Security=true"); string sql = "Update tblPerson set Firstname='" + TextBox1.Text + "' where PersonKey=1"; SqlCommand cmd = new SqlCommand(sql, connect); connect.Open(); cmd.ExecuteNonQuery(); connect.Close(); Label1.Text = "thank you"; } }
Here is a picture of the form running
Here is a picture of the results
No comments:
Post a Comment