follows:
/************* WARNING **************** * THIS IS AN SQL INJECTION DEMO - DON'T RUN IT ON PRODUCTION * EXECUTE IT AT YOUR OWN RISK ***************************************/ USE tempdb; GO /**** DISCLAIMER - DEMO CODE ONLY - DON'T USE IT PRODUCTION ****/ CREATE PROC sprocSQLInjectionAttackDemo @input nchar(10) AS BEGIN DECLARE @SQL nvarchar(max) SET @SQL = ' SELECT Color FROM AdventureWorks2008.Production.Product'+CHAR(10)+ ' WHERE Color like '+@input PRINT @SQL EXEC (@SQL) END GO -- Test SQL injection stored procedure DECLARE @input nchar(10)= '''''SHUTDOWN' EXEC sprocSQLInjectionAttackDemo @input GO /* SELECT Color FROM AdventureWorks2008.Production.Product WHERE Color like ''SHUTDOWN (0 row(s) affected) The SHUTDOWN statement cannot be executed within a transaction or by a stored procedure. Msg 0, Level 11, State 0, Line 0 A severe error occurred on the current command. The results, if any, should be discarded. */
No comments:
Post a Comment