|
马上注册,下载更多源码!
您需要 登录 才可以下载或查看,没有账号?立即加入
x
The Art Of SQL Intrusion.
I have a book by Kevin Mitnick called: The Art Of Intrusion. I ordered it about a year ago and steadily read the book. I read it to page 100 or so because I got the feeling it was complete bullshit what he tried to explain in the book. No offense to Kevin, but I thought the book sucked bigtime. I heard different stories about him, and in no sense did it reflect in the book. So what was going on? I didn't know, and put the book back onto my bookshelf.
I really learned nothing, until today. I had nothing better to do and picked the book back up and opened it on a random page, page number 175 explained an SQL injection attack. Since I'm somewhat SQL injection savvy, I read a code snippet that goes:
' or where password like '%--
That query became:
select record from users where user = '' or where password like '%' and password = '' or where password like '%'
My jaw dropped... and I thought: No way, José... that query is impossible! I could not understand why this was written in this manner, because another WHERE statement after an OR statement is total bullshit. I never seen such SQL structure in my life. It is illegal and generates only errors. While thinking, well maybe he attacked an exotic SQL database server, but that seemed unlikely and still it makes no sense at all. I read further and he talked about ASP on a VPN login screen somewhere and that makes this totally impossible. I don't know if this is a flaw or something, but it seems to me that this is so strange I cannot believe he wrote it down like that. I really wonder if he actually tested it, or ever performed a single SQL injection himself, because anyone who is at home in the SQL language knows that this is an error prone query.
In any case it is impossible! I thought the book sucked before all this,
but now I really put it away into a very dark corner of my bookshelf. |
|