SQL injection: authentication¶

root-me challenge: Authentication v 0.01: Retrieve the administrator password.

username: admin'--

Resources¶

• Injection SQL

• Blackhat Europe 2009 - Advanced SQL injection whitepaper

• Guide to PHP security : chapter 3 SQL injection

• Blackhat US 2006 : SQL Injections by truncation

• Manipulating SQL server using SQL injection

Techniques¶

• SQL injection

• Server-side injection runbook

Counter moves¶

SQL injection: authentication is the case here. Server-side validation and least privilege are what these reduce to. The defender’s view can be found in the blue notes on the application layer as a target.