Brute force password guessing
One can certainly attempt brute force guessing of passwords at the main login page, but many systems make an effort to detect or even prevent this. There could be log files, account lockouts, or other devices that would substantially impede our efforts, but because of the non-sanitized inputs, we have another avenue that is much less likely to be so protected.
We’ll instead do actual password testing in our snippet by including the email name and password directly. In our example, we’ll use our victim, [email protected] and try multiple passwords.
SELECT email, passwd, login_id, full_name FROM members WHERE email = '[email protected]' AND passwd = 'hello123';
This is clearly well-formed SQL, so we don’t expect to see any server errors, and we’ll know we found the password when we receive the “your password has been mailed to you” message. Our mark has now been tipped off, but we do have his password.
This procedure can be automated with scripting in perl, and though we were in the process of creating this script, we ended up going down another road before actually trying it.