Ask an Expert: SQL Injection attack
Moderators: kgudger, bfinio, Moderators
-
Game_Difficulty
- Posts: 3
- Joined: Wed Jan 02, 2019 10:25 pm
- Occupation: Student
SQL Injection attack
Okay, hello!
So I am currently working on the Preventing SQL Injection project. The problem that I have, and it sounds stupid, is that I don't know what the name of the database is for the virtual website (the one by science buddies). I already have some basic knowledge of SQL (thanks to Codecademy and kahnacedemy) on how to do things like create a new table, modify data on a user, etc. but the commands require the name of the database. I don't know if it's not there or if it is and I'm just not paying attention, but I've been stuck on it for a while. Am I suppose to use a command to figure it out? Search it up on the internet? Or is it in plain sight? I'm not sure, but any help would be greatly appreciated.
Thank you :3
- Game_Difficulty
So I am currently working on the Preventing SQL Injection project. The problem that I have, and it sounds stupid, is that I don't know what the name of the database is for the virtual website (the one by science buddies). I already have some basic knowledge of SQL (thanks to Codecademy and kahnacedemy) on how to do things like create a new table, modify data on a user, etc. but the commands require the name of the database. I don't know if it's not there or if it is and I'm just not paying attention, but I've been stuck on it for a while. Am I suppose to use a command to figure it out? Search it up on the internet? Or is it in plain sight? I'm not sure, but any help would be greatly appreciated.
Thank you :3
- Game_Difficulty
Re: SQL Injection attack
Hi Game_Difficulty - the name of the table is "users," however you shouldn't actually need that information in order to perform the attack. I don't want to say too much more because I'd be giving it away - check out the other resources in the project's bibliography if you haven't already. Good luck!
-
Game_Difficulty
- Posts: 3
- Joined: Wed Jan 02, 2019 10:25 pm
- Occupation: Student
Re: SQL Injection attack
bfinio,
Hi! Thank you so much for responding and giving me that piece of advice. I actually was able to perform an attack which then allowed me to see all the users in the database, login as different users and see all the users addresses at once.
However, just like RedStoneMan I cannot seem to figure out how to look up another users password or also, in my case, add a new user, modify data about a user, create a new table, etc. etc. I know what code to write and I know that the codes are right but nothing seems to be working. If you, or anyone else, are able to give me a hint or a nudge towards what direction I should head, I would once again greatly appreciate it. My deepest apologies for the bother.
Thank you
- Game_Difficulty :3
Hi! Thank you so much for responding and giving me that piece of advice. I actually was able to perform an attack which then allowed me to see all the users in the database, login as different users and see all the users addresses at once.
However, just like RedStoneMan I cannot seem to figure out how to look up another users password or also, in my case, add a new user, modify data about a user, create a new table, etc. etc. I know what code to write and I know that the codes are right but nothing seems to be working. If you, or anyone else, are able to give me a hint or a nudge towards what direction I should head, I would once again greatly appreciate it. My deepest apologies for the bother.Thank you
- Game_Difficulty :3
-
LeungWilley
- Expert
- Posts: 329
- Joined: Mon Jan 12, 2009 11:15 pm
- Occupation: Electrical Engineer
Re: SQL Injection attack
Hi Game_Difficulty,
I just came across / responded to RedStoneMan's post and I think i would like to request the same info from you please.
When you say nothing seems to be working, are you "logged in" as the user who have the permission to insert records / create tables, etc...?
Please let us know. Good Luck with your experiment!
Willey
I just came across / responded to RedStoneMan's post and I think i would like to request the same info from you please.
When you say nothing seems to be working, are you "logged in" as the user who have the permission to insert records / create tables, etc...?
Please let us know. Good Luck with your experiment!
Willey
-
Game_Difficulty
- Posts: 3
- Joined: Wed Jan 02, 2019 10:25 pm
- Occupation: Student
Re: SQL Injection attack
!!!!
I totally forgot! I actually managed to finish the project and present it :3 sorry for forgetting :/ but I wanted to say thank you so much for your guys help :3.
Thank you!!!
~ Game_Difficulty
I totally forgot! I actually managed to finish the project and present it :3 sorry for forgetting :/ but I wanted to say thank you so much for your guys help :3.
Thank you!!!
~ Game_Difficulty
Re: SQL Injection attack
Glad we could help!
-
Fauco
- Posts: 1
- Joined: Mon Apr 08, 2019 2:02 am
- Occupation: https://waveadvice.com/
Re: SQL Injection attack
A SQL injection attack won't bring a server down unless you try *really* hard.
It's just a normal SQL query where the user tries to get different results than what the webmaster had intended, nothing else. Certainly not "illegal".
It's just a normal SQL query where the user tries to get different results than what the webmaster had intended, nothing else. Certainly not "illegal".
