March 2006
Beginner to intermediate
448 pages
13h 33m
English
Content preview from Head Rush Ajax
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
330
SQL injection attacks without the web form
Now that you know some of the problems with the lookpuCustomer.php
script, let’s see how PROJECT: CHAOS (or any other
hacker) could exploit those problems and get the Break Neck customer list.
Hypertext Transfer Protocol
POST /placeOrder.php HTTP/1.1
Request Method: POST
Request URI: /placeOrder.php
Request Version: HTTP/1.1
Host: www.headrstlabs.com
Keep-Alive: 300
Connection: keep-alive
Content-Type:
application/x-www-form-urlencoded
phone=(214) 290-8762
Clever hackers can send a
POST request directly to
your PHP script, without
using the Break Neck
order form at all.
Your validation
catches attacks
through the Break
Neck order form.
Now, only real phone
numbers can get through
your validation.
Hypertext Transfer Protocol
POST /placeOrder.php HTTP/1.1
Request Method: POST
Request URI: /placeOrder.php
Request Version: HTTP/1.1
Host: www.headrstlabs.com
Keep-Alive: 300
Connection: keep-alive
Content-Type:
application/x-www-form-urlencoded
phone=’ || ‘a’ = ‘a
There’s no input validation, so a
POST request sent directly to
the PHP script can still have a
SQL injection attack in it.
These two POST rquests are treated
exactly the same by the Break Neck
web server and PHP script.
attacking the php script directly
PROJECT: CHAOS
331
these pages