Calling all SQL-savy Anons - Iowa and Shadow, inc exploit?
Anonymous No.9495636 View ViewReport Quoted By:
I am not a "coder". Cisco CLI does not count, as I understand it. Can you correct me if I have misunderstood the following?
If you setup the connection from your web facing server to your sql server improperly you can get a situation where normal data inputs will work just fine; HOWEVER, if a 'hacker' enters a query using the app from outside the network in a crafty way, they can turn that query into a command. If you mess up really really badly, the output will be displayed back to the 'hacker', making it 1000x easier to mess your database up.
Preventing this is called sanitation, its super easy to do correctly and its literally something you cant pass your first SQL class without mastering. It only shows that the creator of the app was absolutely incompetent at best and at worst intentionally created a backdoor to exploit/break the app for nefarious advantage.
Pic Related
Partial follow up/copy pasta