How Did I Steal Your Database. Mostafa Siraj. @mostafasiraj. Agenda. Noooo, it kills suspense. DISCLAIMER. Hacking websites is ILLEGAL This presentation is meant for educational purposes ONLY Only use this stuff on YOUR website and YOUR account. SQL Injection. What is it?
How Did I Steal Your Database
Noooo, it kills suspense
What is it?
The application dynamically generates an SQL query based on user input, but it does not sufficiently prevent that input from modifying the intended structure of the query.
Let's play Hide and Seek
set @a = 'master.dbo.xp_' + 'cmdshell dir';
set @a = reverse('rid llehsdmc_px.obd.retsam');
Using UNION Operator