SQL, Code Injection, and Scanners                                           Chapter 5

            One common SQLi technique is to input data that can change the context or logic of the
            SQL statement's execution. Because that  JE value is being inserted directlybwith no data
            sanitization, removal of dangerous code, or data type transformationbthe SQL statement is
            dynamic, and subject to tampering.

            Let's make a change that will affect the execution of the statement:
                SELECT title, author FROM posts WHERE id=10 OR 1=1

            In this case,    03     is the user-supplied data. By modifying the 8)&3& clause, the user
            can alter the logic of the developer-supplied part of the executed example. The preceding
            example is pretty innocuous, but if the statement asked for account information from a user
            table, or a part of the database associated with privileges, instead of just information about
            a blog post, that could represent a way to seriously damage the application.



            Testing for SQLi With Sqlmap ` Where to

            Find It and How to Verify It


            TRMNBQ is a popular CLI tool for detecting and exploiting SQLi vulnerabilities. Since we're
            only interested in discovering those bugs, we're less interested in the weaponization, except
            for brainstorming possible attack scenarios for report submissions.

            The simplest use of TRMNBQ is using the  V flag to target the parameters being passed in a
            specific URL. Using XFCTDBOUFTU DPN again as our example target, we can test the
            parameters in a form submission specifically vulnerable to (&5 requests:
                sqlmap -u "http://webscantest.com/datastore/search_get_by_id.php?id=3"






















                                                    [ 76 ]