Đang chuẩn bị nút TẢI XUỐNG, xin hãy chờ
Tải xuống
Microsoft SQL Server sẽ trả lại tất cả các đối tượng đăng ký cơ sở dữ liệu, bao gồm cả thủ tục lưu trữ và tên bảng. Khi tham gia vào tấn công SQL, rất tốt để biết những nguồn lực của các máy chủ cơ sở dữ liệu cung cấp. Do bản chất của tấn công SQL, | Unexpected Input Chapter 7 215 Microsoft SQL Server will return all objects registered for that database including stored procedures and table names. When involved in SQL hacking it s good to know what resources each of the database servers provides. Due to the nature of SQL hacking you may not be able to see your results because most applications are not designed to handle multiple record sets therefore you may need to fumble your way around until you verify that you do have access. Unfortunately there is no easy way to tell because most SQL commands require a valid table name to work.You may have to get creative in determining this information. Performing SQL hacking blind or otherwise is definitely possible. It may require some insight into your target database server which may be unknown to the attacker .You should become familiar with the SQL extensions and stored procedures that your particular server implements. For example Microsoft SQL Server has a stored procedure to e-mail the results of a query somewhere. This can be extremely useful because it would allow you to see the second returned data set. MySQL allows you to save queries out to files which may allow you to retrieve the results. Try to use the extra functionality of the database server to your advantage. Application Authentication Authentication always proves to be an interesting topic. When a user needs to log in to an application where are authentication credentials stored How does the user stay authenticated For normal single-user desktop applications this isn t as tough of a question but for Web applications it proves to be a challenge. The popular method is to give a large random session or authentication key whose keyspace total amount of possible keys is large enough to thwart bruteforcing efforts. However there are two serious concerns with this approach. The key must prove to be truly random any predictability will result in increased chances of an attacker guessing a valid session key.
