SQL Injection Attacks by Example
We all know about the security threat of non-sanitized user input, but it’s pretty scary how much a hacker can learn about your database structure just through SQL injections. This article, one of the most interesting I’ve read in a long time, shows how easy it is to gain access to an intranet area.
A customer asked that we check out his intranet site, which was used by the company’s employees and customers. This was part of a larger security review, and though we’d not actually used SQL injection to penetrate a network before, we were pretty familiar with the general concepts. We were completely successful in this engagement, and wanted to recount the steps taken as an illustration.