What is the smallest possible SQL injection attack character sequence?

M

5

6

Simple, a SQL injection attack in as few characters as possible. Note, I'm not trying to prevent SQL injection attacks by limiting inputs to a certain size, but rather am genuinely curious how many characters is needed to execute even the simplest attack.

For posterity sake, let's say the smallest table name is 4 characters, e.g., "user". Please factor that in.

Multiangular answered 23/11, 2010 at 1:55 Comment(0)

R

10

1 Character is the smallest unit that you have control over. The question depends heavily on what you're doing. For instance, if you're dealing with an interface to delete your profile from a site, and you send '%' instead of your name:

"Delete from Users where name like '"+username+"'"

then setting your username to % will delete all the users.

Rachitis answered 23/11, 2010 at 2:6 Comment(6)

What sane site would use like? – Involuntary 23/11, 2010 at 2:9

What sane site would allow SQL injection attacks? – Rachitis 23/11, 2010 at 2:15

None, but what sane site wouldn't sanitize their database inputs? – Kurt 23/11, 2010 at 2:15

SQL injection is the natural path of a beginner developer. Using like for this isn't. – Involuntary 23/11, 2010 at 2:54

I think you would be surprised at what people are capable of. Either way, given this contrived example, a single character would be capable of causing havoc. – Rachitis 23/11, 2010 at 2:59

Good example, it shows how dangerous SQL injection is. However, if you're using ' or 1=1 --, it does not matter if you used like or not in your SQL command, it will always delete all users. – Kirchner 15/2, 2013 at 8:49

I

8

When injecting into a string literal:

';drop database;--

Involuntary answered 23/11, 2010 at 2:3 Comment(1)

I believe this is the answer I was seeking, as it is a more realistic use case. However, the other answer below, while maybe not realistic, is the shorter answer (and creative). Thanks for your answer. – Multiangular 24/11, 2010 at 4:54

C

2

how about this one:

' OR 1=1 --

Camus answered 4/11, 2019 at 9:26 Comment(0)

T

0

Suppose the query was generated like this

"Select * from user where userid = " + myVar 

1; delete from user;

Thimbleful answered 23/11, 2010 at 2:0 Comment(0)

F

0

To summarize, if I trim my inline variable to have 13 chars max no dangerous sql injection is possible. In my sql 13 chars is enough to match any of my results with charindex. I cannot use parameterized stored procedure since my sql is dynamically generated in C# with complicated if else logic.

Fess answered 20/3, 2024 at 15:55 Comment(0)

Recommended topics

Hot tags