SQL Injection attack

Ask questions about projects relating to: computer science or pure mathematics (such as probability, statistics, geometry, etc...).

Moderators: kgudger, bfinio, Moderators

Locked
Game_Difficulty
Posts: 3
Joined: Wed Jan 02, 2019 10:25 pm
Occupation: Student

SQL Injection attack

Post by Game_Difficulty »

Okay, hello!
So I am currently working on the Preventing SQL Injection project. The problem that I have, and it sounds stupid, is that I don't know what the name of the database is for the virtual website (the one by science buddies). I already have some basic knowledge of SQL (thanks to Codecademy and kahnacedemy) on how to do things like create a new table, modify data on a user, etc. but the commands require the name of the database. I don't know if it's not there or if it is and I'm just not paying attention, but I've been stuck on it for a while. Am I suppose to use a command to figure it out? Search it up on the internet? Or is it in plain sight? I'm not sure, but any help would be greatly appreciated.

Thank you :3 :)

- Game_Difficulty
bfinio
Expert
Posts: 740
Joined: Mon Aug 12, 2013 2:41 pm
Occupation: Science Buddies Staff
Project Question: Expert
Project Due Date: n/a
Project Status: Not applicable

Re: SQL Injection attack

Post by bfinio »

Hi Game_Difficulty - the name of the table is "users," however you shouldn't actually need that information in order to perform the attack. I don't want to say too much more because I'd be giving it away - check out the other resources in the project's bibliography if you haven't already. Good luck!
Game_Difficulty
Posts: 3
Joined: Wed Jan 02, 2019 10:25 pm
Occupation: Student

Re: SQL Injection attack

Post by Game_Difficulty »

bfinio,
Hi! Thank you so much for responding and giving me that piece of advice. I actually was able to perform an attack which then allowed me to see all the users in the database, login as different users and see all the users addresses at once. :D However, just like RedStoneMan I cannot seem to figure out how to look up another users password or also, in my case, add a new user, modify data about a user, create a new table, etc. etc. I know what code to write and I know that the codes are right but nothing seems to be working. If you, or anyone else, are able to give me a hint or a nudge towards what direction I should head, I would once again greatly appreciate it. My deepest apologies for the bother.

Thank you
- Game_Difficulty :3
LeungWilley
Former Expert
Posts: 409
Joined: Mon Jan 12, 2009 11:15 pm
Occupation: Electrical Engineer
Project Question: n/a
Project Due Date: n/a
Project Status: Not applicable

Re: SQL Injection attack

Post by LeungWilley »

Hi Game_Difficulty,
I just came across / responded to RedStoneMan's post and I think i would like to request the same info from you please.
When you say nothing seems to be working, are you "logged in" as the user who have the permission to insert records / create tables, etc...?

Please let us know. Good Luck with your experiment!
Willey
Game_Difficulty
Posts: 3
Joined: Wed Jan 02, 2019 10:25 pm
Occupation: Student

Re: SQL Injection attack

Post by Game_Difficulty »

!!!!
I totally forgot! I actually managed to finish the project and present it :3 sorry for forgetting :/ but I wanted to say thank you so much for your guys help :3.
Thank you!!!
~ Game_Difficulty
bfinio
Expert
Posts: 740
Joined: Mon Aug 12, 2013 2:41 pm
Occupation: Science Buddies Staff
Project Question: Expert
Project Due Date: n/a
Project Status: Not applicable

Re: SQL Injection attack

Post by bfinio »

Glad we could help!
Fauco
Posts: 1
Joined: Mon Apr 08, 2019 2:02 am
Occupation: Other
Project Question: Other
Project Due Date: -
Project Status: Not applicable

Re: SQL Injection attack

Post by Fauco »

A SQL injection attack won't bring a server down unless you try *really* hard.
It's just a normal SQL query where the user tries to get different results than what the webmaster had intended, nothing else. Certainly not "illegal".
Locked

Return to “Grades 9-12: Math and Computer Science”