One, what is SQL spoon-fed attack?
AllegedSQLSpoon-fed attack, the inquiry string that is the input region that aggressor inserts SQL command to Web to express sheet or page request, beguiling server executes baleful SQL order. In certain watch sheet, the content that the user inputs uses construction directly (perhaps affect) dynamic SQL command, or the input parameter that regards memory as the process, sheet of this kind of watch gets particularly easily SQL is spoon-fed attack. Common SQL is spoon-fed attack process kind be like:
⑴ a certainASP.net Web application has an entry page, this entry page is controlling an user to whether authority visits application, it asks the user inputs a name and password.
The content of the input in ⑵ entry page will use the SQL order of tectonic trends directly, perhaps use as directly the parameter of memory process. An example that ASP.NET application construction inquires is below:
⑶ aggressor inputs the content of "' or '1'='1" and so on in user name and password input casing.
After the content that ⑷ user inputs refers a server, the server runs the ASP.NET code construction above to give the SQL order that inquires an user, but the content that inputs as a result of aggressor is very special, the SQL command that ends up with so becomes: SELECT * From Users WHERE Login = '' Or '1'='1' AND Password = '' Or '1'='1' .
⑹ commands as a result of SQL actually already by spoon-fed attack is revised, already cannot identity of user of true test and verify, so the system is met erroneously accredit gives aggressor.
Previous12 3 Next