Overview of technique
A nice way of doing SQL Injection is to:
- Copy the code you want dynamic into the script
- Put quotes on each end
- Replace the parameters with <parametername>
- Using the sql REPLACE function, switch out
with the value of the parameter - Query your little heart out
This T-SQL script shows an example
/* Declare variables */ DECLARE @wcSQL AS NVARCHAR(max) DECLARE @columnWeWantToReturn VARCHAR(50) SET @columnWeWantToReturn = 'name' /* Prepare SQL Statement */ SET @wcSQL = 'SELECT <name>FROM sys.sysobjects' /* Replace parameters */ SET @wcSQL = REPLACE(@wcSQL, '<name> ', @columnWeWantToReturn) /* Execute the dynamic sql */ EXEC sp_executeSQL @statement = @wcSQL
No comments:
Post a Comment