-
Notifications
You must be signed in to change notification settings - Fork 6
/
SQLStringInjection.jsp
34 lines (31 loc) · 1.33 KB
/
SQLStringInjection.jsp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<%@ page language="java" contentType="text/html; charset=UTF-8" %>
<%@ taglib uri="/tags/struts-html" prefix="html" %>
<html:html xhtml="true">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>SQL Injection Example</title>
<html:base />
<link rel="stylesheet" type="text/css" href="../../css/example.css" />
</head>
<body>
<html:link action="/unsecure/attacks">
<html:img src="../../images/return.gif" width="24" height="24" alt="Return to examples page" styleClass="icon" />
</html:link>
<h1>How to perform String SQL Injection</h1>
<hr noshade="noshade"/>
<p><b>General Goal(s):</b></p>
The form below allows a user to view account values. Try to inject an SQL string that results
in all the accounts being displayed.<br>
<p>First, you must insert the username <b>ACID</b>. You will only see the data related to the username ACID.</p>
<p>Then, inserting the value <b>ACID' or '1'='1</b>, you will be able to see all the accounts.</p>
<p>
<html:form action="/unsecure/processSQLStringInjection">
<label>Enter your last name:
<html:text property="account" value="" />
</label>
<html:submit value="Go!" />
</html:form>
</p>
</body>
</html:html>