上QQ阅读APP看书,第一时间看更新
Goals of an SQL injection attack for bug bounty hunters
There are a number of reasons why bug bounty hunters would use SQL injection to generate a proof of concept (POC) report:
- Stealing information: A simple POC for a SQL injection attack would be to steal information, such as simple usernames and passwords, and show them as proof of concept to the program owners.
- Feeding false information: When a simple information theft is not sufficient for the program owners and something else is required, it is crucial that you feed false information or update some tables.
- Taking over control: Sometimes, to acquire more bounty and to make your bug bounty report comprehensive, it is important that you show how the SQL injection can be chained to own a machine or gain access to the system.
SQL injection is basically the injection of unauthorized code in SQL statements and it is one of the most common attack mechanisms utilized by hackers to harvest data.
SQL injection is undoubtedly a very critical attack; this is because it is intertidally a dangerous vulnerability and can be chained with other vulnerabilities to perform attacks such as remote code execution, stored XSS, and complete application takeover.