How Did I Steal Your Database. Mostafa Siraj. @mostafasiraj. Agenda. Noooo, it kills suspense. DISCLAIMER. Hacking websites is ILLEGAL This presentation is meant for educational purposes ONLY Only use this stuff on YOUR website and YOUR account. SQL Injection. What is it?
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
How Did I Steal Your Database
Noooo, it kills suspense
What is it?
The application dynamically generates an SQL query based on user input, but it does not sufficiently prevent that input from modifying the intended structure of the query.
Let's play Hide and Seek
set @a = 'master.dbo.xp_' + 'cmdshell dir';
set @a = reverse('rid llehsdmc_px.obd.retsam');
Using UNION Operator