What will the following command produce on a website’s login page if executed successfully?

What will the following command produce on a website’s login page if executed successfully? SELECT email, passwd, login_id, full_name FROM members WHERE email = ‘[email protected]’; DROP TABLE members; –‘

What will the following command produce on a website’s login page if executed successfully? SELECT email, passwd, login_id, full_name FROM members WHERE email = ‘[email protected]’; DROP TABLE members; –‘

A.
This code will insert the [email protected] email address into the members table.

B.
This command will delete the entire members table.

C.
It retrieves the password for the first user in the members table.

D.
This command will not produce anything since the syntax is incorrect.



Leave a Reply 6

Your email address will not be published. Required fields are marked *


Elger Jonker

Elger Jonker

The correct answer is false for a number of reasons:

– The commenting syntax is incorrect. It should have two dashes or a hash.
– The multi_query (or for oracle batch query?) should be executed. Most times you will only be able to execute one query -> when a ; is detected the query fails. Using mutli_queries is unsafe anyway.
– Drop permissions have to be granted to the user. Depends on your administration if Drop table is allowed.

All in all a small chance that the members table is dropped. The chances are about 80% that the syntax is incorrect.

The intentions are clear though: an attacker wants to drop a table.

Eddie Guerrero

Eddie Guerrero

Good points. I think they’re imagining the logic behind the input the attacker is entering in a web page input box, and he knows that the query is vulnerable, starting with the ’email’ field. He knows he can hijack the whole query. Just to satiate the query, this attacker entered this string into the input box “[email protected]’; DROP TABLE members; –’” (without “”).
The bogus email address ‘[email protected]’ got him by the email field requirement of the query, then inserts his own DROP TABLE query, and terminates the query with ‘–‘ to forget processing the rest of the fields and the logic of the original query, which you can do in many instances, like you can sometimes throw in an ‘OR’ to execute your own query and hijack the process. So if that’s what they are getting at, it’s correct. He is attacking the logic in the query, not actually entering that string you see there.

Eddie Guerrero

Eddie Guerrero

You can even find this kind of logic in a drop down menu picker (with seemingly no input fields for users to enter) that matches email to other records, quite often. Your ‘input’ is your ability to select a field and pick from the drop down menu! So if you use like TAMPER DATA, you can manipulate the field and query the same exact way, by putting in a bogus, or matching email address for a record, and hijack the rest of the query using what they did.

Elger Jonker

Elger Jonker

Well, this query shows malicious intent. If executed succesfully yes. I can just be too nerdy sometimes 🙂

Noel Picher

Noel Picher

That is the suitable weblog for anyone who desires to find out about
this topic. You realize a lot its virtually onerous to argue with you (not that I
actually would want…HaHa). You definitely put a new spin on a subject thats been written about for years.
Nice stuff, simply nice!