tailieunhanh - Module 19 SQL Injection

SQL injection is a technique often used to attack data driven applications [1]. This is done by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (., dump the database contents to the attacker). SQL injection is a code injection technique that exploits a security vulnerability in an application's software. The vulnerability happens | M c EH Certified Ethical Hacker Ethical Hacking and Countermeasures Version 6 Module XIX SQL Injection IM c EH Scenario Certified Ethical Hacker Susan was an SQL programmer with a reputed firm. She ordered an expensive anniversary gift for her husband from which Was a lesser-known online shopping portal but was offering better deals and was promised delivery on anniversary day. She wanted to give her husband a surprise gift. She was very upset on the anniversary day as the gift she ordered was not delivered. She tried to contact the portal but in vain. After several failed attempts to contact the portal she thought of taking revenge out of frustration. What do you think as an SQL programmer Susan can do EC-Council Copyright by Ec-Council All Rights Reserved. Reproduction is Strictly Prohibited TM c E H News Certified Ethical Hacker Mass SQL injection attack compromises 70 000 websites Jim Carr January 08 2008 Updated Wed. Jan. 9 2008 at 4 37 . EST An automated SQL injection attack which at one point compromised more than websites hijacked visitors PCs with a variety of exploits last week according to researchers. The hacked sites which could be found easily via a Google search affected a wide variety of pages Roger Thompson chief research officer at Grisoft noted Saturday in a blog post. This was a pretty good mass hack he said. It wasn t just that they got into a server farm as the victims were quite diverse with presumably the only common point being whatever vulnerability they all shared. The attack affected websites in both the .edu and .gov domains according to researchers at the SANS Institute s Internet Storm Center ISC . Several pages of CA s website were infected as well. These are almost all trusted sites Alan Paller SANS research director told . The cyberattackers used a SQL injection attack on Microsoft s SQL Server database product to compromise the array of sites. It was an application that accessed system .