-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathUntitled.rtf
31 lines (29 loc) · 1.26 KB
/
Untitled.rtf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
{\rtf1\ansi\ansicpg1252\cocoartf1138\cocoasubrtf230
{\fonttbl\f0\fswiss\fcharset0 Helvetica;\f1\fswiss\fcharset0 ArialMT;}
{\colortbl;\red255\green255\blue255;\red255\green255\blue255;}
\margl1440\margr1440\vieww10800\viewh8400\viewkind0
\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural
\f0\fs24 \cf0 SQL Injection\
\
\pard\pardeftab720
\f1\fs32 \cf0 \cb2 1. Show how you can log into a single account without knowing any id numbers ahead of time.
\f0\fs24 \cb1 \
\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural
\cf0 Name: 1 OR 1=1 --\
PW: \'85\
\
Acct: 211\
PW : ' OR '1' = '1\
\
2.
\f1\fs32 \cb2 Show how you can log into
\b any
\b0 account you like (without knowing any id numbers ahead of time).\
\
can't edit acts:\
the sql statements are queries, and they can't perform modification tasks\
passwords are encrypted into the database, so you need to be able to run your own password through the encryption to put it inside the database\
\
6. 1. flaw: didn't check if inputs were of correct type, and didn't check if valid characters were inputted.. \
2. fixed : checking that integers needed to be integers, and there was no way to inject using dangerous characters\
3. }