340 Chapter 14 ■ SQL Injection
Once you enter the malformed e-mail address, you can reasonably expect one of the
following:
■ The application will sanitize the input by removing the quote from the text because the
application’s designer recognized single quotes as potentially malicious.
■ The application does not have protection in place and accepts the input without sanitiz-
ing it and proceeds to execute it. In that case the SQL is being run by the application.
Pay attention to the impact of this extra quote in the SQL statement. If you look closely
you will notice that an extra quote now appears at the end of the line:SELECT data
FROM table
WHERE Emailinput = '[email protected]'';When the application executes SQL code seen here, an error message should appear.
The content and context of this error message is vital in determining the next step in
the process. If the application is designed well and is validating input and sanitizing it,
you probably will not see any type of message in return. However, if the application is not
performing any sort of cleanup or sanitization on input, then an error message may result.
The presence of these errors indicates that there may be enough of a flaw present to exploit
in some manner.
At this point you can start to perform your injection to see what types of information or
actions are available to you. For example, you may be able to uncover the structure of the
database itself (specifically the tables in the database) using the following code:UPDATE table
SET email = '[email protected]'
WHERE email = '[email protected]';The SQL code here is 100-percent legal code in most mainstream versions
of SQL, however, even the unorthodox design of the code works and flows
to get you results. For example, note the semicolon following the quote at
the end of the statement. This semicolon has the effect of letting you close
a statement and then append a statement of your own choosing.Then, if the application runs this malicious code, it looks like this:SELECT data
FROM table
WHERE Emailinput = 'Y';
UPDATE table
SET email = '[email protected]'
WHERE email = '[email protected]';